Security Advisory: CVE-2024-3094 (xz)

On March 29, 2024, Red Hat alerted Fyra Labs and the ecosystem of malicious code found in xz tools and libraries.

Security Advisory: CVE-2024-3094 (xz)
Photo by Markus Spiske / Unsplash

Researcher Andres Freund discovered malicious code in the 5.60 and 5.61 versions of xz.

This is a developing situation, we will update this post as we find out more about the incident.

What Happened?

As of now, we know that a maintainer of xz injected malicious code into tarballs via an obfuscated snippet in the build script of xz 5.60 and 5.61, the version from git appears to be uncompromised. The malicious code modifies the behavior of sshd via systemd, this does not mean that systemd is the vector, or that systems lacking systemd are inoculated. You can read more here.

Github has removed the xz repositories and banned the threat actor and original developer of xz.

Who's Affected?

As of now, no currently supported or in-development versions of Ultramarine Linux are affected. Please ensure that your xz version is below 5.6x. If your system is running Ultramarine Rawhide and storing especially sensitive data you should air gap and audit your system.

How Do I Check If I'm Affected?

If you're running xz 5.60 or 5.61 it is very likely that your system is compromised. You must downgrade your system ASAP, a standard dnf upgrade should downgrade it, if this fails you can run dnf distro-sync to sync package versions to the distribution version.

You can also run this script, as always, please ensure you inspect the source of the script before running it.

What Is Being Done to Protect Me?

The Fedora Project (Ultramarine's upstream) has downgraded xz, this is the primary way we are protecting you.

Fyra Labs Security is monitoring the situation and will continue to update you and make changes as needed to keep you and your data safe.

Thanks to

Andres Freund

Lasse Collin

Red Hat Security

Aspy from the Fyra Discord