A supply chain attack on open source software was discovered. On March 29th, CISA announced that malicious code was found in version 5.6.0 and later of xz tarballs[1]. Though no stable Linux distributions are known to be compromised, OpenSSH servers could allow remote code execution when the attacker validates their signature [CVE-2024-3094].
See the resource center.
Status
- This vulnerability has not yet been analyzed by NVD, but the reporting CNA (Red Hat) has indicated it is a critical vulnerability[2].
- We are tracking this issue and will provide new information as they become available.
Detecting this vulnerability externally is challenging due to how it is integrated into the OpenSSH package and because the backdoor is also designed to evade detection.
Feedback
0 comments
Please sign in to leave a comment.