CVE-2024-3094 – XZ malicious code injection
Summary
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code.
Impact
This results in a modified liblzma library that can be used by any software linked against this library, intercepting, and modifying the data interaction with this library. This includes OpenSSH.
CVSS rating
10.0/10.0
Solution
Linux admins can check which version of XZ is installed by querying with their package manager or by running the following shell script:
for xz_p in $(type -a xz | awk ‘{print $NF}’ | uniq); doversion=$(strings “$xz_p” | grep “xz (XZ Utils)”)major_version=$(echo “$version” | awk -F’.’ ‘{print $1}’ | cut -d ‘)’ -f2)minor_version=$(echo “$version” | awk -F’.’ ‘{print $2}’)patch_version=$(echo “$version” | awk -F’.’ ‘{print $3}’)if [[ “$major_version” -gt 5 || ( “$major_version” -eq 5 && “$minor_version” -gt 1 ) || ( “$major_version” -eq 5 && “$minor_version” -eq 6 && “$patch_version” -ge 0 ) ]]; thenecho “Urgent action required: xz version $version is installed”fidone
For affected versions, the only solution at present is to roll back to a safer version, pre version 5.6.0