TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
http://www.us-cert.gov/tlp/
Summary: The Cybersecurity and Infrastructure Security Agency (CISA) and the open–source community are responding to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. This activity was assigned CVE-2024-3094 and has been categorized as critical.
XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems. CISA recommends users downgrade XZ Utils to an uncompromised version (such as XZ Utils 5.4.6 Stable) and hunt for any malicious activity.
NYSIC CAU Analyst Note: According to Red Hat, the malicious injection in the vulnerable versions of the libraries is obfuscated and only included in full in the download package. The Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present. The resulting malicious build interferes with authentication in sshd via systemd. The malicious script in the tarballs is obfuscated, as are the files containing the bulk of the exploit, so this is likely intentional.
The following sites should be referenced for additional information:
hxxps://www.redhat[.]com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
hxxps://nvd.nist[.]gov/vuln/detail/CVE-2023-3094
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – County ISO
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – Private
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules,
TLP:CLEAR information may be shared without restriction.
http://www.us-cert.gov/tlp/
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.