Supply Chain Compromise Affecting XZ Utils impacting multiple Linux Distributions (CVE-2024-3094)

A critical Remote Code Execution vulnerability (CVE-2024-3094) with critical CVSS score of 10 (the highest) was identified. This vulnerability is a result of a supply chain compromise impacting the versions 5.6.0 and 5.6.1 of XZ Utils. XZ Utils is data compression software included in major Linux distributions.

Vulnerability

Remote Code Execution Vulnerability (CVE-2024-3094)
- On March 28, 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10. This vulnerability is a result of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1 which may allow unauthorized access to affected systems. XZ Utils is data compression software included in Linux distributions.

Severity Level

Critical

Affected Products

Distro	Affected Version
Red Hat	Fedora Linux 40 and Fedora Rawhide. No versions of Red Hat Enterprise Linux (RHEL) are affected.
Debian	No Debian stable versions are known to be affected. Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1.
Kali	The impact of this vulnerability affected Kali between March 26-29. If you updated your Kali installation on or after March 26, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before March 26, you are not affected by this backdoor vulnerability.
OpenSUSE	OpenSUSE Tumbleweed and OpenSUSE Micro OS between March 7th and March 28th 2024.
Alpine	5.6 versions prior to 5.6.1-r2
Arch	Installation medium 2024.03.01 Virtual machine images 20240301.218094 and 20240315.221711 Container images created between and including 2024-02-24 and 2024-03-28
HomeBrew	HomeBrew package manager is forcing downgrades to 5.4.6 as a precaution.

Remediation

All major Linux distros recommend either reverting back to versions built prior to the inclusion of XZ Utils 5.6.0 and 5.6.1 or migrating to updated releases.
Please check the notification page for your specific distribution for additional updates and guidance.

Reference

Enquiry

For enquiries, please contact infosec@cuhk.edu.hk. Thanks a lot.

Published on: 2 Apr 2024

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.