Description of the vulnerability per NIST:
“Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting, and modifying the data interaction with this library.”
This vulnerability was intentionally induced by a supply chain attack. Starting in 2021, a suspected Threat Actor started to submit patches to open-source project on GITHUB, eventually focusing on the XZ Utils repository and becoming a co-developer. A fuller timeline of events can be found here. The backdoor/vulnerability was fully introduced in versions 5.6.0 and 5.6.1 of xz utils in February. Most production Linux distributions have not adopted these patches, but please check the following section to confirm that no affected versions are present in your environment.
Affected & Fixed Versions
Recommendations and Mitigations
SecurIT360 Managed SOC Clients:
- For all active managed SOC EDR clients, we have checked our inventory across products and have already reached out if you have an affected Linux distribution.
- For all active managed SOC MDR clients, we have also run an external Nessus vulnerability scan looking for affected versions and have again already reached out to any and all affected clients.
Otherwise, if you have any Linux endpoint that we do not monitor that you are concerned may be affected by this vulnerability, you can run a simple command of “xz –version” or “xz ultis –version” on these endpoints to confirm your versioning on the endpoint in question:
If any of your endpoints do presently use 5.6.0 and 5.6.1 of XZ Utils, we would recommend either updating or downgrading packages per the table above. For the case of Fedora 40-41 and Rawhide specifically the recommendation from Red Hat would be to power-down or stop using Rawhide for the time being, and to move to packages 5.4.X for Fedora 40-41. See Red Hat’s blog post on the subject for more information.
Resources & Related Articles
- https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/Feedly CVE-2024-2615 (Affected Version Table)
- https://nvd.nist.gov/vuln/detail/CVE-2024-3094 (NIST CVE)
- https://boehs.org/node/everything-i-know-about-the-xz-backdoor (Timeline on GITHUB Activity)
- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users (Update for Fedora 40 and Fedora Rawhide Users)
