XZ Utils Supply Chain Compromise
Security
April 1, 2024
This Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.
An XZ Utils vulnerability, CVE-2024-3094 , allowed the embedding of malicious code in the libraries for XZ Utils versions 5.6.0 and 5.6.1. XZ Utils is data compression software that is present in several Linux distributions. The resulting malicious build interferes with authentication in sshd via systemd. Under the right circumstances, this could interfere with authentication to enable a malicious actor to break sshd authentication and remotely gain unauthorized access to the entire system, depending on the privileges associated with the user.
Open-source information indicates that thousands of systems in New Jersey may be impacted by this vulnerability.
Organizations are highly advised to downgrade XZ Utils to an uncompromised version such as ZX Utils 5.4.6 Stable and stop usage of impacted Fedora Rawhide instances until it is reverted to 5.4.x. Please review the following advisories for additional details: Red Hat, MS-ISAC, CISA.
For any further questions, contact us here at Cyber Command.