A backdoor [CVE-2024-3094] was introduced into the liblzma5 library, a small but crucial compression library maintained by the Tukaani project. This also introduced a backdoor into SSH, a common remote administration service often exposed externally to the Internet. This vulnerability could allow remote code execution when the attacker is able to validate their signature. The backdoor made its way into downstream unstable releases of various Linux distributions, but also included mainline branches of xz.
If the payload is malformed or the attacker’s signature is not verified, the backdoor reverts back to a regular operation.
Cybersecurity news:
April 1, 2024: Supply chain attack details and tracking started.
Impacted Systems
- Version 5.6.0 and later of xz.
- The code for other applications that link liblzma5 might be impacted.
Remediation & Mitigation
Follow the CISA recommendations and revert xz tarballs to stable versions before 5.6.0.
Resources
- NIST, “CVE-2024-3094 Detail”
- Openwall, “Backdoor in Upstream XZ/Liblzma Leading to SSH Server Compromise”
- Red Hat, “CVE-2024-3094”
- April 1, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.