CVE-2024-3094

Name of the Vulnerable Software and Affected Versions liblzma versions 5.6.0 through 5.6.1 xz Utils versions 5.6.0 through 5.6.1

Description A critical vulnerability (CVE-2024-3094) was discovered in the xz Utils data compression library, specifically in versions 5.6.0 and 5.6.1. This vulnerability is a supply chain compromise involving a backdoor inserted into the library. The backdoor allows for unauthorized remote access to systems by modifying the data interaction with the library, potentially enabling attackers to bypass SSH authentication. The malicious code was introduced through a series of complex obfuscations, including a prebuilt object file hidden within a test file in the source code. The vulnerability was discovered by a Microsoft engineer who noticed unusual delays in SSH connections. The impact of this vulnerability could have been widespread, affecting numerous Linux distributions and applications.

Recommendations Downgrade to a version prior to 5.6.0.