CVE-2024-3094

Published Mar 29, 2024

Last updated 15 days ago

CVSS critical 10.0

Overview

Description
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Source
secalert@redhat.com
NVD status
Modified

Insights

Analysis from the Intruder Security Team
Published Oct 15, 2024

The attack is believed to be a nation-state level attack, and only the rogue developer and groups with which the compromised key has been shared would be able to gain access. As such, it is not likely to be widely exploited.

More information is available in our blog post here.

Risk scores

CVSS 3.1

Type
Primary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

secalert@redhat.com
CWE-506

Social media

Hype score
Not currently trending

  1. See how SentinelOne Singularity XDR tackles the xz backdoor (CVE-2024-3094), discovered March 29, 2024, affecting Linux's xz libraries. Key Points: Targets Debian, Fedora via SSH daemon/liblzma Exploits OSS supply chain vulnerabilities Shows even open-source isn't immune to… htt

    @jrfetzer

    17 Feb 2025

    112 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. See how SentinelOne Singularity XDR tackles the xz backdoor (CVE-2024-3094), discovered March 29, 2024, affecting Linux's xz libraries. Key Points: Targets Debian, Fedora via SSH daemon/liblzma Exploits OSS supply chain vulnerabilities Shows even open-source isn't immune to… htt

    @jrfetzer

    1 Feb 2025

    84 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. The #xz (CVE-2024-3094) is a perfect example of a #supplychainattack. We have a short explainer on the blog on how our Anchore Enterprise customers and OSS #Syft users can immediately report on it. https://t.co/mkCUEv3kZx https://t.co/QLApGPAq82

    @anchore

    27 Jan 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [Link] XZ Utils backdoor (CVE-2024-3094) 解説 #Linux - Qiita>https://t.co/lT0sY4mhLf

    @tech_wiki

    20 Jan 2025

    67 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. XZ Utils backdoor (CVE-2024-3094) 解説 https://t.co/QuypsIy8am #Qiita

    @kk0128_

    19 Jan 2025

    426 Impressions

    0 Retweets

    5 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  6. See how SentinelOne Singularity XDR tackles the xz backdoor (CVE-2024-3094), discovered March 29, 2024, affecting Linux's xz libraries. Key Points: Targets Debian, Fedora via SSH daemon/liblzma Exploits OSS supply chain vulnerabilities Shows even open-source isn't immune to… htt

    @jrfetzer

    16 Jan 2025

    126 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. See how SentinelOne Singularity XDR tackles the xz backdoor (CVE-2024-3094), discovered March 29, 2024, affecting Linux's xz libraries. Key Points: Targets Debian, Fedora via SSH daemon/liblzma Exploits OSS supply chain vulnerabilities Shows even open-source isn't immune to… htt

    @jrfetzer

    5 Jan 2025

    73 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  8. for the XZ utils backdoor (CVE-2024-3094) and its detection, respectively. Iconic duo. - suddenly execs started caring about supply chain - never underestimate a Microsoft engineer troubleshooting with valgrind

    @byt3n33dl3

    1 Jan 2025

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Top 5 Trending CVEs: 1 - CVE-2024-49128 2 - CVE-2024-21182 3 - CVE-2024-3094 4 - CVE-2024-12744 5 - CVE-2024-38472 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    1 Jan 2025

    107 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 2024 Person of the year goes to “Jia Tan” and @AndresFreundTec for the XZ utils backdoor (CVE-2024-3094) and its detection, respectively. Iconic duo. - suddenly execs started caring about supply chain - never underestimate a Microsoft engineer troubleshooting with valgrind

    @IceSolst

    31 Dec 2024

    11647 Impressions

    18 Retweets

    131 Likes

    20 Bookmarks

    4 Replies

    1 Quote

  11. ⚠️ What is the #xz utilz impact? @Josh Bressers, our VP of Security, deep dives on CVE-2024-3094 and what to do today: https://t.co/mkCUEv3kZx #opensource https://t.co/z7CGtnIXgh

    @anchore

    30 Dec 2024

    17 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  12. See how SentinelOne Singularity XDR tackles the xz backdoor (CVE-2024-3094), discovered March 29, 2024, affecting Linux's xz libraries. Key Points: Targets Debian, Fedora via SSH daemon/liblzma Exploits OSS supply chain vulnerabilities Shows even open-source isn't immune to… htt

    @jrfetzer

    18 Dec 2024

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. The #xz (CVE-2024-3094) is a perfect example of a #supplychainattack. We have a short explainer on the blog on how our Anchore Enterprise customers and OSS #Syft users can immediately report on it. https://t.co/mkCUEv3kZx https://t.co/90U4bCSFZJ

    @anchore

    8 Dec 2024

    47 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  14. Actively exploited CVE : CVE-2024-3094

    @transilienceai

    21 Nov 2024

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

References