CVE-2024-3094 Code | What Systems / Distros Are Affected

What is CVE‑2024‑3094?

It is a supply‑chain / backdoor vulnerability discovered in the XZ Utils package, specifically affecting versions 5.6.0 and 5.6.1.
The malicious code is embedded in the upstream tarballs. During the liblzma build process, a disguised test file is used to extract a prebuilt object, which then modifies certain functions in the liblzma library.
As a result, any software linked against liblzma (via XZ) could be compromised, potentially allowing for remote code execution (RCE) or SSH authentication bypass under specific conditions.
The CVSS v3 severity is 10.0 (Critical).

Rolling / edge / testing Linux distributions that may include XZ 5.6.0 or 5.6.1 in their repositories or builds, such as:
- Fedora 40 / Fedora Rawhide
- openSUSE Tumbleweed / MicroOS
- Debian “unstable” / testing branches
- Arch Linux builds / container images around the timeframe the malicious versions were shipped
- Alpine edge builds
Many stable / enterprise Linux releases are not affected, because they either never shipped XZ 5.6.0 / 5.6.1, or removed them before release. For example, Ubuntu’s stable releases are not impacted.
SUSE has patched it: openSUSE Tumbleweed now requires versions ≥ 5.6.2‑1.1 for xz / liblzma5 to address the issue.

The build must originate from the upstream tarballs (not from a clean Git source) because the malicious code is tied to a test file in the tarball.
The build must satisfy conditions such as being for x86‑64 Linux and being part of a Debian / RPM package build (the presence of debian/rules or RPM_ARCH checks)
At runtime, for exploitation via SSH (sshd), additional environment conditions must be met (e.g. TERM unset, LD_DEBUG and LD_PROFILE unset, LANG set)
The path must be /usr/sbin/sshd, and the malicious code intercepts RSA_public_decrypt symbol calls to insert its payload.

Because of these conditions, not every system that has XZ 5.6.0/5.6.1 is trivially exploitable; the exploit is somewhat constrained.

If you’re concerned about this vulnerability on your system, here are recommended actions:

Check your installed version of XZ

xz --version

If it reports 5.6.0 or 5.6.1, your system is potentially vulnerable.
Upgrade / Patch to a Safe Version
- Move to xz / liblzma versions ≥ 5.6.2 or revert to a prior safe version (e.g. 5.4.6) in systems where patches are not yet available.
  Many Linux distros have already released updated packages. For example, SUSE requires xz >= 5.6.2‑1.1.
Audit and Monitor for Suspicious Activity
- Monitor SSH logs and check for unexplained or unauthorized login activity
- Use tools (Wazuh, IDS/IPS) to detect processes or symbols related to liblzma that might exhibit unusual behavior (e.g. hooking RSA_public_decrypt)
- Check your system for known indicators (YARA rules and threat intelligence around CVE‑2024‑3094)
Rebuild from Trusted Sources
- If your system or distribution has not yet released patches, consider rebuilding xz from a trusted Git source (not the tarball) that is known clean. The backdoor was not present in the pure Git sources (because the malicious macro is absent).
Incident Response if Suspected Compromise
- If you believe the backdoor was exploited:
  - Isolate affected systems
  - Examine SSH-related logs and memory for unusual code execution
  - Rotate all credentials, especially privileged access
  - Scan for residual artifacts or rootkits

Post Views: 2