XZ: Embedded Malicious Code (CVE-2024-3094)
23205
08 April 2024
01 April 2024
OPEN
MEDIUM
10: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2024-3094
Brocade Security Advisory ID |
BSA-2024-2528 |
Component |
XZ Utils Data Compression Library |
|
|
Summary
A Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code. This file is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Detail
XZ Utils is a widely used package present in major Linux distributions. Only two of the most recent versions of the package, 5.6.0 and 5.6.1, released within the past month, are known to be infected. Stable versions of most Linux distributions were not affected.
The sophisticated malicious payload that came with the affected versions of XZ Utils ran in the same process as the OpenSSH server (SSHD) and modified decryption routines in the OpenSSH server to allow specific remote attackers (who own a specific private key) to send arbitrary payloads through SSH that would be executed before the authentication step, effectively hijacking the entire victim machine.
Products Confirmed Not Affected
- Brocade ASCG - Not affected - Vulnerable_code_not_present
- Brocade SANnav - Not Affected - Component_not_present
- Brocade SANnav Ova versions - Not Affected - Vulnerable_code_not_present
- Brocade Fabric OS
- Brocade Fabric OS versions before v9.x - Not Affected - Component_not_present
- Brocade Fabric OS version v9.0 and later releases - Not Affected - Vulnerable_code_not_present
Revision History
Version |
Change |
Date |
1.0 |
Initial Publication |
4/1/2024 |
1.1 |
update SANnav OVA versions |
4/7/2024 |
Disclaimer
THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.