Ελληνικά
Summary
A backdoor has been identified in versions 5.6.0 and 5.6.1 of XZ Utils (assigned CVE-2024-3094), which under some conditions may allow RCE via SSH authentication in specific versions of certain Linux distributions.
Affected products
There are many distributions that are potentially impacted by CVE-2024-3094. The following vendors have publicly addressed the vulnerability:
| Distro | Notes | Package | Affected Versions | Fixed Versions |
| RedHat | Red Hat Enterprise Linux (RHEL) is not affected, but Fedora 41 and Fedora Rawhide are affected. | xz | Fedora 41 and Fedora Rawhide | RedHat has advised users to immediately stop any instances of Fedora 41 or Fedora Rawhide. |
| Debian | No Debian stable versions are known to be affected, but non-stable branches are affected. | xz-utils | From 5.5.1alpha-0.1 up to and including 5.6.1-1 | 5.6.1+really5.4.5-1 |
| Kali Linux | Affects Kali installations updated between March 26th to March 29th. | xz-utils | 5.6.0-0.2 | Upgrade to the latest version |
| OpenSUSE | OpenSUSE maintainers have rolled back the version of xz on Tumbleweed on March 28th and have released a new Tumbleweed snapshot (20240328 or later) that was built from a safe backup. | xz | 5.6.0 5.6.1 | 5.6.1.revertto5.4 |
| Alpine | – | xz | 5.6.0 5.6.0-r0 5.6.0-r1 5.6.1 5.6.1-r0 5.6.1-r1 | 5.6.0-r2 5.6.1-r2 |
| Arch | The following release artifacts contain the compromised package: (1) Installation medium 2024.03.01, (2) Virtual machine images 20240301.218094 and 20240315.221711, (3) Container images created between and including 2024-02-24 and 2024-03-28. | xz | 5.6.0-1 | 5.6.1-2 |
| Gentoo | Gentoo recommends downgrading to an older version. | xz-utils | after/equal 5.6.0 | before 5.6.0 |
| FreeBSD | Not affected. | – | – | – |
| Amazon Linux | Not affected. | – | – | – |
Recommendations
- Follow the guidance provided in the table above for each Linux distribution.
- It is advised to downgrade to an uncompromised XZ Utils version (earlier than 5.6.0) and to hunt for any malicious or suspicious activity on systems where affected versions have been installed.
References
- Oss security: https://www.openwall.com/lists/oss-security/2024/03/29/4
- Redhat: https://access.redhat.com/security/cve/CVE-2024-3094?extIdCarryOver=true&sc_cid=701f2000001OH6fAAG
- OpenSUSE: https://build.opensuse.org/request/show/1163302
- CERT-EU: https://cert.europa.eu/publications/security-advisories/2024-032/pdf