Threat Research

Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)

Unit42

A supply-chain compromise in XZ Utils introduced malicious code into upstream tarballs for versions 5.6.0 and 5.6.1, which modifies the liblzma build to produce a backdoored library capable of intercepting or altering data used by linked applications. Major Linux distributions advised downgrading to pre-5.6.0 builds or applying vendor updates, while detection and mitigation guidance (including XQL queries and Palo Alto Networks product protections) are available. #CVE-2024-3094 #XZ-UTILS

Keypoints

  • The vulnerability CVE-2024-3094 is a critical (CVSS 10.0) supply-chain backdoor impacting XZ Utils releases starting at 5.6.0.
  • Malicious code in the upstream tarballs causes the liblzma build to extract a prebuilt object from a disguised test file and modify library functions at build time.
  • The compromised liblzma can be loaded by any software linked against it, allowing interception and modification of data and potential unauthorized access.
  • Distributions affected include Fedora, Debian testing/unstable/experimental uploads, Kali (for a defined update window), OpenSUSE Tumbleweed, Alpine, and Arch container/VM/image builds created during the compromise window.
  • Mitigation advice from vendors: revert to versions earlier than 5.6.0 or apply vendor-provided updates; Homebrew forced a downgrade to 5.4.6 as a precaution.
  • Palo Alto Networks published detection guidance (an XQL query to find hosts with XZ-UTILS 5.6.0/5.6.1) and recommends using Cortex XDR, XSIAM, Prisma Cloud, and Unit 42 services for detection and response.

MITRE Techniques

  • [T1195] Supply Chain Compromise – The upstream xz tarballs contained malicious code inserted into released packages. (‘Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.’)
  • [T1027] Obfuscated Files or Information – The malicious component used complex obfuscation in source to hide extraction and injection logic. (‘Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code…’)
  • [T1574.001] DLL Side-Loading (Hijack Execution Flow) – The build produces a modified liblzma that is loaded by linked applications to intercept and modify data interactions. (‘This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.’)
  • [T1592] Gather Victim Host Information – Detection guidance includes inventory queries to locate hosts running the affected XZ Utils versions. (‘//This query searches for XZ Utils versions 5.6.0 or 5.6.1…’)
  • [T1210] Exploitation of Vulnerability (client-side/third-party) – Under certain conditions the injected library may enable unauthorized access to affected systems by exploiting the trust relationship of linked applications. (‘Under certain conditions this code may allow unauthorized access to affected systems.’)

Indicators of Compromise

  • [CVE] vulnerability identifier – CVE-2024-3094
  • [Package versions] compromised XZ Utils releases – 5.6.0, 5.6.1
  • [Library name] affected runtime component – liblzma (modified library used by linked applications)
  • [Affected distributions] examples of impacted systems – Fedora Linux 40 / Fedora Rawhide, OpenSUSE Tumbleweed (and various Debian testing/unstable/experimental uploads)
  • [Detection query] inventory/XDR detection example – XQL query searching for XZ-UTILS versions “5.6.0” and “5.6.1” (see supplied query), and other vendor detection markers

A supply-chain compromise injected malicious code into XZ Utils source tarballs beginning with 5.6.0; the injected code is obfuscated and causes the liblzma build to extract a prebuilt object from a disguised test file which is then used to patch specific liblzma functions. This build-time modification produces a backdoored liblzma library that, when loaded by any software linked against it, can intercept and alter data flows and under some conditions enable unauthorized access to affected systems.

Distributions and packaging affected include Fedora (Fedora 40 and Rawhide), Debian testing/unstable/experimental uploads up through 5.6.1-1, OpenSUSE Tumbleweed and Micro OS images during the compromise window, Alpine 5.6 versions prior to 5.6.1-r2, Arch installation/VM/container images built between late-February and March 28, and a limited Kali update window; Homebrew forced rollbacks to 5.4.6 as a precaution. Vendors advise reverting to builds earlier than 5.6.0 or applying vendor-provided fixes/updates—check your distribution’s security notices for exact remediation steps.

Detection and response recommendations include scanning host inventories for XZ-UTILS version 5.6.0/5.6.1 (the Unit 42 XQL example is provided for Cortex XDR), replacing or rebuilding affected binaries against trusted liblzma builds, preventing deployment of vulnerable container images via Prisma Cloud policies, applying multi-layer endpoint protections (Cortex XDR/XSIAM), and engaging incident response (Unit 42) if compromise is suspected.

Read more: https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/