Skip to main content

Critical Vulnerability in XZ Utils for Linux

 A critical vulnerability in XZ Utils could lead to RCE

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

 A critical vulnerability in XZ Utils could lead to RCE


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

RedHat has released a security advisory to address a critical vulnerability in XZ Utils for Linux. XZ is a general-purpose data compression format present in nearly every Linux distribution, as well as many community projects and commercial product distributions.

The vulnerability, known as CVE-2024-3094 with a CVSSv3 score of 10.0 could allow an attacker to perform remote code execution (RCE) via Secure Shell (SSH) in the context of the logged on user.


Vulnerability Details

Malicious code was found by security researchers in the source code of XZ Utils, beginning with version 5.6.0. A hidden test file is used during the compilation process to extract malicious code and change the functionality of the liblzma component of XZ Utils. This allows liblzma to intercept and alter data exchanges for any library that relies on it, including libsystemd. Specifically, certain Linux distributions use libsystemd for SSH, and could therefore be vulnerable to RCE.

Proof-of-concept available for CVE-2024-3094

Proof-of-concept code for vulnerability CVE-2024-3094 has been made publicly available, which increases the likelihood of exploitation.


Remediation advice

Organisations should follow advice from the CISA advisory to downgrade XZ Utils to an uncompromised version. Additionally, organisations should follow the relevant vendor advisory if they are running an affected Linux distribution, some of which can be found below.


Remediation steps

Type Step
Guidance

RedHat Fedora 40, RedHat Fedora 41 and RedHat Fedora Rawhide users should immediately stop usage until XZ Utils can be downgraded. RHEL is not affected.


https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Guidance

Users of Debian testing, unstable and experimental distributions with XZ Utils versions 5.5.1alpha-0.1 to 5.6.1-1 should immediately upgrade XZ Utils to version 5.6.1+really5.4.5-1. Debian Stable is not affected.


https://lists.debian.org/debian-security-announce/2024/msg00057.html
Guidance

Users of Kali Linux distributions updated between March 26 and March 29 should immediately update Kali Linux to downgrade XZ Utils.


https://www.kali.org/blog/about-the-xz-backdoor/
Guidance

openSUSE Tumbleweed and openSUS MicroOS users should immediately update openSUSE Tumbleweed to downgrade XZ Utils. SUSE Linux Enterprise and openSUSE Leap are not affected.


https://news.opensuse.org/2024/03/29/xz-backdoor/


Last edited: 3 April 2024 9:15 am