XZ Utils supply chain compromise (CVE-2024-3094)

Advisory ID

WGSA-2024-00007

CVE

CVE-2024-3094

Impact

Critical

Status

Not Applicable

Product Family

Firebox, Dimension, Secure Wi-Fi

Published Date

2024-04-04

Updated Date

2024-04-04

Workaround Available

False

CVSS Score

10.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

On March 29, a software engineer at Microsoft discovered and disclosed a supply chain attack against the popular Linux decompression utility XZ Utils. After analysis, researchers confirmed a rogue developer had inserted malicious code into the 5.6.0 and 5.6.1 releases of XZ Utils. This malicious code could allow an adversary with a carefully crafted SSH public key to execute arbitrary code with SYSTEM permissions on affected Linux-based systems.

Affected

No WatchGuard products use the affected versions of XZ Utils

Resolution

No resolution necessary

References

https://www.openwall.com/lists/oss-security/2024/03/29/4

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV
Firebox	Fireware OS 12.5.x	T15, T35
Dimension	Dimension	Dimension
Secure Wi-Fi	Wi-Fi 4 & 5	AP125, AP225W, AP325, AP327X, AP420
Secure Wi-Fi	Wi-Fi 6	AP130, AP330, AP332CR, AP430CR, AP432

Lista de Avisos

Go to