Microsoft published guidance and advice for the XZ Utils backdoor vulnerability, tracked at CVE-2024-3094. This vulnerability has a CVSS (Common Vulnerability Scoring System) score of 10 out of 10 and affects many Linux distributions, namely Fedora, Kali Linux, OpenSUSE, Debian testing, Alpine, and it could have a huge global impact.
The vulnerability was accidentally discovered in time by a Microsoft Linux developer, Mr Andres Freund, who was curious because there was a 500ms delay on connections SSH (Secure Shell). So he discovered a backdoor built into the compressor files XZ.
So far, VirtusTotal lists only four security vendors of the 63, including Microsoft, that can correctly identify the vulnerability.
According to the company's instructions, to verify if a system has a vulnerability software, you can run the following command as root:
xz –version
