Summary
Vulnerability CVE-2024-3094 has been reported for malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. XZ Utils is data compression software and may be present in Linux distributions.
Date of publication
April 5th, 2024
Description
Malicious code was discovered in the upstream tarballs of xz versions 5.6.0 and 5.6.1. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Impact
It was found that malicious code interfered with the OpenSSH daemon. While OpenSSH is not directly linked to the liblzma library, it does communicate with systemd in such a way that exposes it to the malware due to systemd linking to liblzma.
Mitigation
No action is required as HYCU does not use the affected version of liblzma.
Comments
Please sign in to leave a comment.