CVE-2024-3094

Name of the Vulnerable Software and Affected Versions xz Utils versions 5.6.0 and 5.6.1

Description A critical vulnerability (CVE-2024-3094) was discovered in xz Utils, a data compression utility commonly used in Linux distributions. The vulnerability stems from a backdoor inserted into the liblzma library through a supply chain compromise. This backdoor could allow attackers to bypass SSH authentication and gain unauthorized remote access to systems. The malicious code was introduced over two years by an attacker who gained trust within the project and inserted obfuscated code during the build process. The vulnerability was discovered by a Microsoft engineer who noticed performance anomalies during SSH logins. The affected versions are 5.6.0 and 5.6.1. The backdoor exploits a weakness in how SSH interacts with the liblzma library, potentially allowing attackers to execute arbitrary code with root privileges.

Recommendations Downgrade to xz Utils version 5.4.6 or earlier and remove all traces of compromised versions. If patching is delayed, isolate affected systems, restrict outbound SSH connectivity, and audit build logs for malicious object injections. Treat all compiled/deployed systems as fully compromised and rebuild from trusted sources.