T-Update

Information about vulnerabilities

This live blog contains information regarding a XZ Utils vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog.

Last updated on April 2, 2024.

Andres Freund has discovered a vulnerability in the XZ libraries (Version 5.6.0 and 5.6.1). The vulnerability in liblzma allows access to systems running SSHD. To gain access, a specific key must be used, and the SSHD environment must be accessible from the public web. An unauthorized attacker can exploit these vulnerabilities to create a new administrator account and/or initiate remote code execution, with all the associated risks.

‍

Customized cyber security

Background

The Dutch National Cyber Security Centre (NCSC) has classified this vulnerability as ‘High/High’. The CVE-2024-3094 vulnerability has been rated with a score of 10. This indicates a high risk of abuse and serious impact.

Risk

The vulnerabilities concern XZ Utils 5.6.0 and 5.6.1. This vulnerability allows an attacker to create a new administrator account and execute arbitrary code.

Vulnerable:

Kali Linux: Only versions between March 26 and March 29 are affected.
openSUSE Tumbleweed and openSUSE MicroOS: Available from March 7 to March 28.
Fedora 41, Fedora Rawhide, and Fedora Linux 40 beta.
Debian: Only the testing, unstable, and experimental distributions.

Safe:

Red Hat Enterprise Linux (RHEL)
SUSE Linux Enterprise
openSUSE Leap
Debian Stable

Advice

Use the command xz –version to check the version. Users of XZ Utils 5.6.0 and 5.6.1 are strongly advised to downgrade to version 5.4.6 as soon as possible. If the system was vulnerable and connected to the public internet with openssh, it is recommended to check if the system has been attacked.

Sources

More information:

‍

Sign up to receive T-Updates

Receive the latest vulnerabilities in your email every Wednesday

More than 1,000 organisations have already joined us.

Expertise

Cyber emergency?