Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution
Apr 02, 2024
Firmware Security / Vulnerability
The malicious code inserted into the open-source library XZ Utils, a widely used package present in major Linux distributions, is also capable of facilitating remote code execution, a new analysis has revealed. The audacious supply chain compromise, tracked as CVE-2024-3094 (CVSS score: 10.0), came to light last week when Microsoft engineer and PostgreSQL developer Andres Freund alerted to the presence of a backdoor in the data compression utility that gives remote attackers a way to sidestep secure shell authentication and gain complete access to an affected system. "I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise," Freund said in a post shared on Mastodon. "Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc." "Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled tha...