Support Content Notification - Support Portal

XZ: Embedded Malicious Code (CVE-2024-3094)

Product/Component

Brocade Fabric OS

2 more products

Notification Id

23205

Last Updated

08 April 2024

Initial Publication Date

01 April 2024

Status

OPEN

Severity

MEDIUM

CVSS Base Score

10: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

WorkAround

Affected CVE

CVE-2024-3094

Brocade Security Advisory ID	BSA-2024-2528
Component	XZ Utils Data Compression Library

Summary

A Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code. This file is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

More at: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

Detail

XZ Utils is a widely used package present in major Linux distributions. Only two of the most recent versions of the package, 5.6.0 and 5.6.1, released within the past month, are known to be infected. Stable versions of most Linux distributions were not affected.

The sophisticated malicious payload that came with the affected versions of XZ Utils ran in the same process as the OpenSSH server (SSHD) and modified decryption routines in the OpenSSH server to allow specific remote attackers (who own a specific private key) to send arbitrary payloads through SSH that would be executed before the authentication step, effectively hijacking the entire victim machine.

Products Confirmed Not Affected

Brocade ASCG - Not affected - Vulnerable_code_not_present
Brocade SANnav - Not Affected - Component_not_present
Brocade SANnav Ova versions - Not Affected - Vulnerable_code_not_present
Brocade Fabric OS
- Brocade Fabric OS versions before v9.x - Not Affected - Component_not_present
- Brocade Fabric OS version v9.0 and later releases - Not Affected - Vulnerable_code_not_present

Revision History

Version	Change	Date
1.0	Initial Publication	4/1/2024
1.1	update SANnav OVA versions	4/7/2024

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.