On March 28th, 2024, it was discovered that a sophisticated social engineering attack introduced a backdoor in the XZ Utils library, which provides data compression and decompression services and is included in many Linux distributions.
Assigned as CVE-2024-3094, the backdoor allows the attacker to achieve remote code execution by providing a specially crafted RSA key. This vulnerability was rated a 10.0 Critical on CVSS 3.1, the highest possible score that can be assigned in CVSS 3.1.
Known affected versions include 5.6.0 and 5.6.1. CISA recommends that developers downgrade to an uncompromised version of the XZ Utils library, such as 5.4.6.
Currently, there are no known versions of the vulnerable XZ Utils library present in UEFI firmware.
