cbcvebase.
CVE-2024-3094
published 2024-03-29

CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process…

PriorityP185critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
85.97%
99.7th percentile
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Affected

19 ranges
VendorProductVersion rangeFixed in
debianxz-utils< xz-utils 5.6.1+really5.4.5-1 (forky)xz-utils 5.6.1+really5.4.5-1 (forky)
lighttpdlighttpd>= 0 < 1.4.76-r01.4.76-r0
lighttpdlighttpd>= 0 < 1.4.76-r01.4.76-r0
lighttpdlighttpd>= 0 < 1.4.76-r01.4.76-r0
lighttpdlighttpd>= 0 < 1.4.76-r01.4.76-r0
paloaltocloud_ngfw
paloaltocortex_xdr
paloaltocortex_xdr_agent
paloaltoglobalprotect_app
paloaltopan-os
paloaltoprisma_access
paloaltoprisma_cloud
paloaltoprisma_cloud_compute
tukaanixz
tukaanixz
tukaanixz>= 0 < 5.6.1-r25.6.1-r2
tukaanixz>= 0 < 5.6.1-r25.6.1-r2
tukaanixz>= 0 < 5.6.1-r25.6.1-r2
tukaanixz>= 0 < 5.6.1-r25.6.1-r2

Detection & IOCsextracted from sources · hover to see the quote

filenamem4/build-to-host.m4
filenamebad-3-corrupt_lzma2.xz
filenamegood-large_compressed.lzma
filenameliblzma_la-crc64-fast.o
filename.libs/liblzma_la-crc64_fast.o
hash048b064241f06b0975c2e20132379b5478af0247
hashcc23255b7c051d9c35d769d4e91d168e3f410c01
hash96e42f5baf3f1bad129de247e
pathsrcdir/tests/files/
commandcat bad-3-corrupt_lzma2.xz | tr "\t \-_" " \t_\-" | xz -d
commandfor xz_p in $(type -a xz | awk '{print $NF}' | uniq); do strings "$xz_p" | grep "xz (XZ Utils)" || echo "No match found for $xz_p"; done
filenamecrc64_fast.c
bytes
~!:_ W
bytes
|_!{ -
bytes
jV!.^%
bytes
%.R.1Z
  • The malicious code is only present in the complete download tarballs, NOT in the Git repository source — the M4 macro (m4/build-to-host.m4) that triggers the backdoor build process is absent from Git.
  • The backdoor hooks RSA_public_decrypt in OpenSSH via glibc's IFUNC mechanism; hunt for unexpected IFUNC resolver overrides in liblzma-linked processes, especially sshd.
  • Anomalous SSH login slowness on Debian Sid / Fedora systems running xz 5.6.0 or 5.6.1 was the original discovery signal; treat unexplained sshd latency as a hunt pivot.
  • Presence of environment variable `is_arch_extension_supported` being replaced by `_get_cpuid`, or `__get_cpuid` being overridden by a malicious object file, are runtime IOCs indicating active backdoor injection.
  • The backdoor only injects when built on Linux with GCC, targeting Debian or Fedora distributions, and only when `config.status` is present — build environment checks can be used to scope exposure.
  • In version 5.6.1, the Stage 1 payload includes an OS check repeated five times to ensure injection only on Linux; this repeated check pattern is detectable in static analysis of the extracted script.
  • Docker images based on Debian with xz-utils 5.6.0 or 5.6.1 remain on Docker Hub; scan container images for the backdoored liblzma.so before pulling or deploying.
  • The backdoor activates only when sshd is invoked via systemd; sshd started outside of systemd does not trigger the full backdoor, which can be used as a differential diagnostic.
  • ·The backdoor is only present in xz-utils versions 5.6.0 and 5.6.1; versions 5.4.x and earlier are unaffected. Downgrade to 5.4.x or upgrade to 5.6.2+ to remediate.
  • ·No versions of Red Hat Enterprise Linux (RHEL) are affected; impact is scoped to Fedora 41/Rawhide and Debian unstable (Sid) and other rolling distributions that patched sshd with liblzma.
  • ·The backdoor was tailored to distributions that patch their SSH daemon with liblzma; systems where sshd is NOT linked against liblzma are not exploitable via this vector.
  • ·Version 5.6.1 introduced modularity allowing future payloads to be injected via binary test blobs in tests/files/ without new build-file commits, meaning future variants may not require changes to m4/build-to-host.m4.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
osv10.0CRITICAL
vendor_debian10.0LOW
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.