CVE-2024-3094

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
References
Link Resource
https://access.redhat.com/security/cve/CVE-2024-3094 Vendor Advisory
https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ Third Party Advisory
https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
https://boehs.org/node/everything-i-know-about-the-xz-backdoor Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 Mailing List Vendor Advisory
https://bugs.gentoo.org/928134 Issue Tracking Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2272210 Issue Tracking Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1222124 Issue Tracking Third Party Advisory
https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405 Third Party Advisory
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 Third Party Advisory
https://github.com/advisories/GHSA-rxwq-x6h5-x525 Third Party Advisory
https://github.com/amlweems/xzbot
https://github.com/karcherm/xz-malware Third Party Advisory
https://gynvael.coldwind.pl/?lang=en&id=782 Technical Description Third Party Advisory
https://lists.debian.org/debian-security-announce/2024/msg00057.html Mailing List Third Party Advisory
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html Third Party Advisory
https://lwn.net/Articles/967180/ Issue Tracking Third Party Advisory
https://news.ycombinator.com/item?id=39865810 Issue Tracking Third Party Advisory
https://news.ycombinator.com/item?id=39877267 Issue Tracking
https://news.ycombinator.com/item?id=39895344
https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/ Third Party Advisory
https://research.swtch.com/xz-script
https://research.swtch.com/xz-timeline
https://security-tracker.debian.org/tracker/CVE-2024-3094 Third Party Advisory
https://security.alpinelinux.org/vuln/CVE-2024-3094 Third Party Advisory
https://security.archlinux.org/CVE-2024-3094 Third Party Advisory
https://security.netapp.com/advisory/ntap-20240402-0001/
https://tukaani.org/xz-backdoor/ Issue Tracking Vendor Advisory
https://twitter.com/LetsDefendIO/status/1774804387417751958 Third Party Advisory
https://twitter.com/debian/status/1774219194638409898 Press/Media Coverage
https://twitter.com/infosecb/status/1774595540233167206 Press/Media Coverage
https://twitter.com/infosecb/status/1774597228864139400 Press/Media Coverage
https://ubuntu.com/security/CVE-2024-3094 Third Party Advisory
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 Third Party Advisory US Government Resource
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils Third Party Advisory
https://www.kali.org/blog/about-the-xz-backdoor/
https://www.openwall.com/lists/oss-security/2024/03/29/4 Mailing List
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users Vendor Advisory
https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils Third Party Advisory
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ Press/Media Coverage
https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
https://xeiaso.net/notes/2024/xz-vuln/ Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:tukaani:xz:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:tukaani:xz:5.6.1:*:*:*:*:*:*:*

History

12 Apr 2024, 07:15

Type Values Removed Values Added
References
  • () https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz -

03 Apr 2024, 06:15

Type Values Removed Values Added
References
  • () https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/ -
  • () https://research.swtch.com/xz-script -
  • () https://research.swtch.com/xz-timeline -

03 Apr 2024, 04:15

Type Values Removed Values Added
References
  • () https://www.kali.org/blog/about-the-xz-backdoor/ -

02 Apr 2024, 23:15

Type Values Removed Values Added
Summary
  • (es) Se descubrió código malicioso en los archivos tar ascendentes de xz, a partir de la versión 5.6.0. A través de una serie de ofuscaciones complejas, el proceso de compilación de liblzma extrae un archivo objeto premanipulado de un archivo de prueba disfrazado existente en el código fuente, que luego se utiliza para modificar funciones específicas en el código de liblzma. Esto da como resultado una librería liblzma modificada que puede ser utilizada por cualquier software vinculado a esta librería, interceptando y modificando la interacción de datos con esta librería.
References
  • () https://security.netapp.com/advisory/ntap-20240402-0001/ -

01 Apr 2024, 18:15

Type Values Removed Values Added
References
  • () https://github.com/amlweems/xzbot -
  • () https://news.ycombinator.com/item?id=39895344 -
  • () https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094 -

01 Apr 2024, 17:23

Type Values Removed Values Added
CPE cpe:2.3:a:tukaani:xz:5.6.1:*:*:*:*:*:*:*
cpe:2.3:a:tukaani:xz:5.6.0:*:*:*:*:*:*:*
References
  • () https://twitter.com/LetsDefendIO/status/1774804387417751958 - Third Party Advisory
References () https://access.redhat.com/security/cve/CVE-2024-3094 - () https://access.redhat.com/security/cve/CVE-2024-3094 - Vendor Advisory
References () https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ - () https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ - Third Party Advisory
References () https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ - () https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ - Third Party Advisory
References () https://boehs.org/node/everything-i-know-about-the-xz-backdoor - () https://boehs.org/node/everything-i-know-about-the-xz-backdoor - Third Party Advisory
References () https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 - () https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 - Mailing List, Vendor Advisory
References () https://bugs.gentoo.org/928134 - () https://bugs.gentoo.org/928134 - Issue Tracking, Third Party Advisory
References () https://bugzilla.redhat.com/show_bug.cgi?id=2272210 - () https://bugzilla.redhat.com/show_bug.cgi?id=2272210 - Issue Tracking, Vendor Advisory
References () https://bugzilla.suse.com/show_bug.cgi?id=1222124 - () https://bugzilla.suse.com/show_bug.cgi?id=1222124 - Issue Tracking, Third Party Advisory
References () https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405 - () https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405 - Third Party Advisory
References () https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 - () https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 - Third Party Advisory
References () https://github.com/advisories/GHSA-rxwq-x6h5-x525 - () https://github.com/advisories/GHSA-rxwq-x6h5-x525 - Third Party Advisory
References () https://github.com/karcherm/xz-malware - () https://github.com/karcherm/xz-malware - Third Party Advisory
References () https://gynvael.coldwind.pl/?lang=en&id=782 - () https://gynvael.coldwind.pl/?lang=en&id=782 - Technical Description, Third Party Advisory
References () https://lists.debian.org/debian-security-announce/2024/msg00057.html - () https://lists.debian.org/debian-security-announce/2024/msg00057.html - Mailing List, Third Party Advisory
References () https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html - () https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html - Third Party Advisory
References () https://lwn.net/Articles/967180/ - () https://lwn.net/Articles/967180/ - Issue Tracking, Third Party Advisory
References () https://news.ycombinator.com/item?id=39865810 - () https://news.ycombinator.com/item?id=39865810 - Issue Tracking, Third Party Advisory
References () https://news.ycombinator.com/item?id=39877267 - () https://news.ycombinator.com/item?id=39877267 - Issue Tracking
References () https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/ - () https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/ - Third Party Advisory
References () https://security-tracker.debian.org/tracker/CVE-2024-3094 - () https://security-tracker.debian.org/tracker/CVE-2024-3094 - Third Party Advisory
References () https://security.alpinelinux.org/vuln/CVE-2024-3094 - () https://security.alpinelinux.org/vuln/CVE-2024-3094 - Third Party Advisory
References () https://security.archlinux.org/CVE-2024-3094 - () https://security.archlinux.org/CVE-2024-3094 - Third Party Advisory
References () https://tukaani.org/xz-backdoor/ - () https://tukaani.org/xz-backdoor/ - Issue Tracking, Vendor Advisory
References () https://twitter.com/debian/status/1774219194638409898 - () https://twitter.com/debian/status/1774219194638409898 - Press/Media Coverage
References () https://twitter.com/infosecb/status/1774595540233167206 - () https://twitter.com/infosecb/status/1774595540233167206 - Press/Media Coverage
References () https://twitter.com/infosecb/status/1774597228864139400 - () https://twitter.com/infosecb/status/1774597228864139400 - Press/Media Coverage
References () https://ubuntu.com/security/CVE-2024-3094 - () https://ubuntu.com/security/CVE-2024-3094 - Third Party Advisory
References () https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 - () https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 - Third Party Advisory, US Government Resource
References () https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils - () https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils - Third Party Advisory
References () https://www.openwall.com/lists/oss-security/2024/03/29/4 - () https://www.openwall.com/lists/oss-security/2024/03/29/4 - Mailing List
References () https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users - () https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users - Vendor Advisory
References () https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils - () https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils - Third Party Advisory
References () https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ - () https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ - Press/Media Coverage
References () https://xeiaso.net/notes/2024/xz-vuln/ - () https://xeiaso.net/notes/2024/xz-vuln/ - Third Party Advisory
First Time Tukaani xz
Tukaani

01 Apr 2024, 05:15

Type Values Removed Values Added
References
  • () https://boehs.org/node/everything-i-know-about-the-xz-backdoor -
  • () https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 -
  • () https://bugs.gentoo.org/928134 -
  • () https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405 -
  • () https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 -
  • () https://github.com/advisories/GHSA-rxwq-x6h5-x525 -
  • () https://github.com/karcherm/xz-malware -
  • () https://lists.debian.org/debian-security-announce/2024/msg00057.html -
  • () https://lwn.net/Articles/967180/ -
  • () https://tukaani.org/xz-backdoor/ -
  • () https://twitter.com/debian/status/1774219194638409898 -
  • () https://twitter.com/infosecb/status/1774595540233167206 -
  • () https://twitter.com/infosecb/status/1774597228864139400 -
  • () https://ubuntu.com/security/CVE-2024-3094 -
  • () https://xeiaso.net/notes/2024/xz-vuln/ -

31 Mar 2024, 01:15

Type Values Removed Values Added
References
  • () https://gynvael.coldwind.pl/?lang=en&id=782 -
  • () https://news.ycombinator.com/item?id=39877267 -

30 Mar 2024, 20:15

Type Values Removed Values Added
References
  • () https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html -

30 Mar 2024, 11:15

Type Values Removed Values Added
References
  • () https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ -
  • () https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ -
  • () https://bugzilla.suse.com/show_bug.cgi?id=1222124 -
  • () https://news.ycombinator.com/item?id=39865810 -
  • () https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/ -
  • () https://security-tracker.debian.org/tracker/CVE-2024-3094 -
  • () https://security.alpinelinux.org/vuln/CVE-2024-3094 -
  • () https://security.archlinux.org/CVE-2024-3094 -
  • () https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 -
  • () https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils -
  • () https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils -
  • () https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ -

29 Mar 2024, 19:15

Type Values Removed Values Added
Summary (en) Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions. (en) Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

29 Mar 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-03-29 17:15

Updated : 2024-04-12 07:15


NVD link : CVE-2024-3094

Mitre link : CVE-2024-3094

CVE.ORG link : CVE-2024-3094


JSON object : View

Products Affected

tukaani

  • xz
CWE
CWE-506

Embedded Malicious Code