Skip to main content

Embedded Malicious Code

CVE-2024-3094

Severity High
Score 10/10

Summary

Malicious code was discovered in versions 5.6.0 and 5.6.1 of the xz package containing a backdoor. The upstream tarballs contained additional ".m4" files that included instructions for building with automake, which were not part of the official repository. These instructions, utilizing complex obfuscation techniques, facilitated the extraction of a prebuilt object file from a test archive. This object file was then used to modify specific functions within the liblzma package during the build process. As a consequence, software relying on liblzma, such as 'sshd', could be leveraged to execute functionality interpreted by the tampered functions. Exploiting this backdoor could potentially compromise 'sshd' authentication, granting unauthorized access to affected systems. Users of the xz package are advised to downgrade to known, unaffected version 5.4.6.

  • LOW
  • NETWORK
  • HIGH
  • CHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-506 - Embedded Malicious Code

The application contains code that appears to be malicious in nature.

Advisory Timeline

  • Published