Neat Statement on the XZ Utils Vulnerability

Last updated on April 12, 2024

At Neat, we make an effort to continuously assess the security of our products and services. When issues or vulnerabilities are discovered, we quickly work to resolve any issues and communicate this to our customers and partners.

Malicious code inserted into the open-source library XZ Utils, a widely used package available in many popular Linux distributions, can potentially be used to facilitate remote code execution, based on a recent analysis from the security community. The XZ Utils supply chain vulnerability, listed as CVE-2024-3094, has been scored at the highest CVSS (Common Vulnerability Scoring System) level of 10.0.

What is XZ Utils?

XZ Utils is a command-line tool used for compressing and decompressing data in Linux and other Unix-like operating systems.

Vulnerability Details

Although the investigation is still ongoing, it appears that the malicious backdoor code is said to have been deliberately introduced into the open-source code by one of the project maintainers. The supply chain attack allows for a backdoor to be created through the SSH daemon authentication process on the vulnerable machine. The result of running the malicious code allows a remote attacker to execute arbitrary code on the machine.

The backdoor affects XZ Utils 5.6.0 and 5.6.1 releases, and only exists in a complete package download.

Current Analysis

We have completed our internal investigation and determined that the XZ Utils vulnerability is not
applicable to Neat products.

Referenced Sources

(Please note that Neat is not responsible for the contents of 3rd party websites)

• The Hacker News – Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution
• NSFOCUS – XZ Utils Backdoor Vulnerability (CVE-2024-3094) Advisory
• ArsTechnica – Backdoor found in widely used Linux utility targets encrypted SSH connections

Additional Support

We encourage you to visit our support website (https://support.neat.no) for updates regarding this notification as well as any future potential security incidents. If you encounter an issue with your Neat device, please email: support@neat.no and one of our technical support engineers will reach out to you.

Note: Neat provides support on Neat devices running current released software or running software from the previous release. For more information on our support policy, please see the article Neat’s technical support policy.

IMPORTANT: Please see our privacy policy at https://neat.no/privacy-policy/