Critical Vulnerability in XZ Utils

Published on 01 Apr 2024

Security researchers have disclosed a critical vulnerability (CVE-2024-3094) in XZ Utils used in Linux distributions. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 10 out of 10.

Successful exploitation of the vulnerability could allow an unauthorised attacker to bypass sshd authentication and gain remote access to the entire system.

The critical vulnerability affects XZ versions 5.6.0 and 5.6.1.

Users and administrators of Linux distributions are advised to verify if their systems are using affected XZ versions by inputting xz --version in the command line . If their systems are using an affected version, users and administrators are advised to downgrade to XZ versions 5.4.x or disable SSH services immediately, and review their systems for any malicious or suspicious activity.

More information is available here:

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/#google_vignette

https://nvd.nist.gov/vuln/detail/CVE-2024-3094