What is the CVE-2024-3094 Attack ? (Current Vulnerability)
Turkish Video
Overview of CVE-2024-3094
Red Hat recently released CVE-2024-3094 (CVSS score of 10), a reported supply chain compromise found in the XZ Utils library (formerly known as LZMA Utils). The malicious code, which was introduced by a previously trusted developer, attempts to weaken the authentication of SSH sessions via SSHD. The affected versions of XZ are not widely distributed and are typically found in the most bleeding-edge Linux distribution builds such as the fedora rawhide and debian testing and unstable distributions.
According to Red Hat:
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
This backdoor leverages the testing mechanisms in the build process. It was put in place as part of a sophisticated supply chain attack.
As the library is being built, a test process spins up, runs a few checks on the target system, and then, if the relevant checks pass, pulls a pre-built object file that is extracted and woven into the compilation and linking process. The backdoor is very selective of its target. It only weaves the backdoor into target builds running on x64 architectures, which is clearly indicated by the check that runs during the building process. This issue affects versions 5.6.0 and 5.6.1 of XZ.
Affected Versions
Debian - unstable / sid. Starting from version 5.5.1alpha-0.1 up to and including version 5.1.1-1
Kali - Systems that had their packages updated between March 26-29, 2024
OpenSUSE - Tumbleweed and MicroOS versions: Between March 7-28, 2024
Arch Linux - Version 2024.03.01, VM images 20240301.218094 and 20240315.221711, container images created between February 24, 2024, and March 28, 2024
Fedora - Rawhide and Fedora 40 Beta
Source : CVE-2024-3094 Saldırısı Nedir ? (Güncel Açık)
