On 29 March 2024, a security researcher disclosed the discovery of malicious code in the most recent versions of XZ Utils data compression tools and libraries. The code contained a backdoor, which a remote threat actor can leverage to break sshd authentication (the service for SSH access) and gain unauthorised access to the system, potentially leading to Remote Code Execution (RCE). This vulnerability was assigned CVE-2024-3094, with a critical CVSS score reaching the maximum of 10.0 as it is a supply chain compromise that affects the entire Linux ecosystem.
XZ Utils and Linux
XZ Utils is a widely used tool in nearly every Linux distribution that encompasses command-line tools for file compression and decompression tasks (such as xz, unxz, etc.) as well as a C library called liblzma.
The malicious code was discovered in versions 5.6.0 and 5.6.1 of XZ Utils, which may have been recently received by users across various Linux distributions in February. Linux distribution vendors, such as Red Hat, Debian, Kali Linux, openSUSE, Alpine, and Arch Linux have either confirmed they patched the issue in their environments or were unaffected by it.
Assessment
Although Arctic Wolf has not yet observed active exploitation of this vulnerability, proof of concept (PoC) exploit code is now available. Vulnerabilities that create supply chain compromises, such as Log4Shell in 2021, are highly sought after by threat actors and can have devastating impacts. Arctic Wolf assesses with high confidence that threat actors will likely target this vulnerability in the near future, given its potential impact across the entire Linux ecosystem and the level of access they can achieve upon compromising a system.
Recommendation for CVE-2024-3094
Follow Guidance from Linux Distribution Vendors
Arctic Wolf strongly recommends following the guidance provided by Linux distribution vendors as shown in the table below:
| Linux Distribution | Version | Affected? | Recommendation |
| Red Hat | Red Hat Enterprise Linux | No | No action needed |
| Fedora | Fedora 40 (and Beta version) | No | While not directly affected, Red Hat recommends downgrading XZ Utils to version 5.4 as a precaution |
| Fedora Rawhide | Yes | Stop usage until it is reverted to xz-5.4.x (release will be available shortly according to Red Hat) | |
| Debian | Stable | No | No action needed |
| Testing, unstable, and experimental versions ranging from 5.5.1alpha-0.1, up to and including 5.6.1-1. | Yes | Upgrade xz-utils packages | |
| Kali Linux | Versions updated before March 26 | No | No action needed |
| Versions from updated between March 26 – March 29 | Yes | Apply latest updates per Kali Linux guidance | |
| openSUSE | Enterprise and Leap | No | No action needed |
| Tumbleweed | Yes | Upgrade to newly provided Tumbleweed snapshot | |
| Alpine | edge-main | Yes | Upgrade to latest version |
| Arch Linux | installation medium 2024.03.01 | Yes | Upgrade if system has XZ version 5.6.0-1 or 5.6.1-1. |
| virtual machine images 20240301.218094 and 20240315.221711 | Yes | Upgrade affected images to most recent version | |
| container images created between and including 2024-02-24 and 2024-03-28 | Yes | Upgrade affected images to most recent version | |
| Other Linux distributions not listed above | Other Linux distributions not listed above | N/A | Arctic Wolf strongly advises users to downgrade XZ Utils to version 5.4 and to stay updated on vendor guidance as they work to address the issue |
Please follow your organisation’s patching and testing guidelines to avoid operational impact.
