Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094

ronjor · Mar 29, 2024

Release Date March 29, 2024

CISA and the open source community are responding to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. This activity was assigned CVE-2024-3094. XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems.
Click to expand...

CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA.
Click to expand...

Red Hat: Urgent security alert for Fedora 41 and Rawhide users

reasonablePrivacy · Mar 29, 2024

That's huge. Kudos for discovering it before it entered stable version of any major distro.
Personally I switched to use tar+7z combo for ad-hoc directory archivization, but probably lots of other tools my use it.

reasonablePrivacy · Mar 30, 2024

Disclosure on openwall: https://www.openwall.com/lists/oss-security/2024/03/29/4

GitHub Disables The XZ Repository Following Today's Malicious Disclosure
https://www.phoronix.com/news/GitHub-Disables-XZ-Repo

With upstream XZ having not issued any corrected release yet and contributions by one of its core contributors -- and release creators -- over the past two years called into question, it's not without cause to outright taking the hammer to the XZ repository public access. At this point, it can simply not be trusted until further evaluation.
Click to expand...

Some such as within Fedora discussions have raised the prospects whether XZ should be forked albeit there still is the matter of auditing past commits. Others like Debian have considered pulling back to the latest release prior to the bad actor and then just patching vetted security fixes on top. Meanwhile others have suggested this is good motivation for moving off XZ/liblzma to alternatives such as using Zstd.
Click to expand...

Personally I moved on some years ago to (p)7zip for small ad-hoc archives and Zstd for big backups, because xz seemed to not be maintained at stable pace, and downstream xz packages were also not up to date in some distributions. I hope that same fate won't happen to other compression tools.

ronjor · Apr 1, 2024

What we know about the xz Utils backdoor that almost infected the world

Dan Goodin - 4/1/2024
Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream.
Click to expand...

reasonablePrivacy · Apr 2, 2024

Firmware security firm Binarly has released a free online scanner to detect Linux executables impacted by the XZ Utils supply chain attack, tracked as CVE-2024-3094.
Click to expand...

Binarly Research Team said:

"Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation. It could already be deployed elsewhere or partially reused in other operations. That's exactly why we started focusing on more generic detection for this complex backdoor."
Click to expand...

https://www.bleepingcomputer.com/news/security/new-xz-backdoor-scanner-detects-implant-in-any-linux-binary/

It is worth to remind that complete reinstall of affected systems is advised.

Log in or Sign up

Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094

ronjor Global Moderator

reasonablePrivacy Registered Member

reasonablePrivacy Registered Member

ronjor Global Moderator

reasonablePrivacy Registered Member

Log in or Sign up

Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094

ronjor Global Moderator

reasonablePrivacy Registered Member

reasonablePrivacy Registered Member

ronjor Global Moderator

reasonablePrivacy Registered Member

Useful Searches