Supply Chain Compromise Affecting XZ Utils impacting multiple Linux Distributions (CVE-2024-3094)

A critical Remote Code Execution vulnerability (CVE-2024-3094) with critical CVSS score of 10 (the highest) was identified. This vulnerability is a result of a supply chain compromise impacting the versions 5.6.0 and 5.6.1 of XZ Utils. XZ Utils is data compression software included in major Linux distributions.

 

Vulnerability

  • Remote Code Execution Vulnerability (CVE-2024-3094)
    • On March 28, 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10.  This vulnerability is a result of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1 which may allow unauthorized access to affected systems.  XZ Utils is data compression software included in Linux distributions.

 

Severity Level

  • Critical

 

Affected Products

Distro Affected Version
Red Hat Fedora Linux 40 and Fedora Rawhide.
No versions of Red Hat Enterprise Linux (RHEL) are affected.
Debian No Debian stable versions are known to be affected.

Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1.

Kali The impact of this vulnerability affected Kali between March 26-29. If you updated your Kali installation on or after March 26, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before March 26, you are not affected by this backdoor vulnerability.
OpenSUSE OpenSUSE Tumbleweed and OpenSUSE Micro OS between March 7th and March 28th 2024.
Alpine 5.6 versions prior to 5.6.1-r2
Arch
  • Installation medium 2024.03.01
  • Virtual machine images 20240301.218094 and 20240315.221711
  • Container images created between and including 2024-02-24 and 2024-03-28
HomeBrew HomeBrew package manager is forcing downgrades to 5.4.6 as a precaution.

 

Remediation

  • All major Linux distros recommend either reverting back to versions built prior to the inclusion of XZ Utils 5.6.0 and 5.6.1 or migrating to updated releases.
  • Please check the notification page for your specific distribution for additional updates and guidance.

 

Reference

 

Enquiry

 

 

Published on:  2 Apr 2024