Supply Chain Attack via XZ Library Resulting in SSH Backdoor [CVE-2024-3094] – April 1, 2024 Ingrid A supply chain attack on open source software was discovered. On March 29th, CISA announced that malicious code was found in version 5.6.0 and later of xz tarballs[1]. Though no stable Linux distributions are known to be compromised, OpenSSH servers could allow remote code execution when the attacker validates their signature [CVE-2024-3094]. See the resource center. Status This vulnerability has not yet been analyzed by NVD, but the reporting CNA (Red Hat) has indicated it is a critical vulnerability[2]. We are tracking this issue and will provide new information as they become available. Detecting this vulnerability externally is challenging due to how it is integrated into the OpenSSH package and because the backdoor is also designed to evade detection. References CISA, “Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094” Red Hat, “CVE-2024-3094” Related articles ServiceNow Vulnerability Chain [CVE-2024-4879, CVE-2024-5217, & CVE-2024-5178] Company Requests Organization: Subsidiaries Supply Chain Attack via XZ Library Resulting in SSH Backdoor [CVE-2024-3094] POST: Bulk Subscribe Feedback 0 comments Please sign in to leave a comment.