03/29/2024 | News release | Distributed by Public on 03/29/2024 22:14
On March 29th, 2024, a backdoor was identified in versions 5.6.0 and 5.6.1 of XZ Utils. Under certain conditions, this backdoor may allow remote access to the targeted system. This disclosure was posted to the Openwall mailing list. The discoverer mentions that this supply-chain attack was discovered while investigating SSH performance issues. This compromise is identified as CVE-2024-3094.
XZ Utils and Libs
XZ Utils is a command line tool that contains functionality for compression and decompression of XZ files. It is found as an upstream package for almost all distributions and can also be downloaded and compiled independently.
Technical Details of CVE-2024-3094:
The upstream obfuscated code was discovered in the source tarballs of the affected xz versions. This malicious code has not been detected in the Git distribution, which lacks the M4 macro. Based on the discoverers comments on the mailing list, this M4 macro is responsible for the backdoor build process. Post-detection of this macro is second-stage artifacts found in the Git repository are injected during the binary compilation process.
Impact of this Malicious Code:
Red Hat mentions that "the resulting malicious build interferes with authentication in sshd via systemd. Under the right circumstances, this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely."
Affected Versions:
XZ Utils version 5.6.0 and 5.6.1 are vulnerable. These versions on testing, unstable, or other bleeding edge distribution should be considered compromised.
Affected Distributions:
This is a developing list of operating systems and distributions that have reported if they are affected by this vulnerability:
Qualys QID Coverage:
The Qualys Research team is building detections to enable customers to identify the risk posed by this vulnerability in their environment. Following are the details of this QID:
Additional Information for SOC teams:
SOC and Incident Responders can take the following actions to help mitigate the risk imposed by CVE-2024-3094:
Additional Resources:
Related