{"id":28714,"date":"2024-04-07T08:23:34","date_gmt":"2024-04-07T08:23:34","guid":{"rendered":"https:\/\/nsfocusglobal.com\/?p=28714"},"modified":"2026-04-17T18:07:38","modified_gmt":"2026-04-17T18:07:38","slug":"xz-utils-supply-chain-backdoor-vulnerability-updated-advisory-cve-2024-3094","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/xz-utils-supply-chain-backdoor-vulnerability-updated-advisory-cve-2024-3094\/","title":{"rendered":"XZ-Utils Supply Chain Backdoor Vulnerability Updated Advisory (CVE-2024-3094)"},"content":{"rendered":"\n

Vulnerability Overview<\/h2>\n\n\n\n

Recently, NSFOCUS CERT detected that the security community disclosed a supply chain backdoor vulnerability in XZ-Utils (CVE-2024-3094), with a CVSS score of 10. Since the underlying layer of SSH relies on liblzma, when certain conditions are met, an attacker can use this vulnerability to bypass SSH authentication and gain unauthorized access on the affected system, thus executing any system command. After investigation, it is found that the tarball upstream software package of xz infects a backdoor program. The backdoor extracts the .o file from the disguised test file during the building process, and then uses the extracted file to modify specific functions in liblzma, resulting in the generation of a modified liblzma library. Any software linked to this library may use it to intercept and modify data interaction with this library. At present, the vulnerability PoC has been made public. Relevant users are requested to take measures as soon as possible for troubleshooting and protection.<\/p>\n\n\n\n

XZ-Utils is a tool library suite widely used for processing .xz files in Linux, Unix and other POSIX compatible systems, including components such as liblzma and xz, which are integrated in the vast majority of Linux distribution repositories. NSFOCUS CERT has been successfully reproduced this vulnerability:<\/p>\n\n\n\n

\"Red<\/a><\/figure>\n\n\n\n

Reference link:<\/p>\n\n\n\n

https:\/\/tukaani.org\/xz-backdoor\/<\/a><\/p>\n\n\n\n

https:\/\/www.openwall.com\/lists\/oss-security\/2024\/03\/29\/4<\/a><\/p>\n\n\n\n

Background<\/h2>\n\n\n\n

n October 2021, JiaT75, the developer who implanted backdoor vulnerabilities, began to participate in the development of XZ-Utils project and gradually gained trust. It took over the maintenance authority of the project in 2023. In February 2024, it submitted malicious files to liblzma\/xz, introduced a hidden backdoor that allowed attackers to access SSH without authorization, and contacted the maintainer of Linux distribution. Libraries with backdoors were required to be packaged and distributed to end users, and developer Andres Freund discovered this supply chain attack activity on March 29 when analyzing SSH performance failures. GitHub has now shut down the entire XZ-Utils project.<\/p>\n\n\n\n

\"Red<\/a><\/figure>\n\n\n\n

Backdoor analysis<\/h2>\n\n\n\n

When the sshd process linked to the malicious dynamic database is started, the malicious code in liblzma.so will modify the pointing address of the RSA_public_decrypt function symbol through Hook technology. When the sshd process receives a new SSH login request, it triggers the RSA_public_decrypt function to verify the signature of related payload fields. After the verification, the attack payload hidden in the certificate field is extracted and passed to the system function for arbitrary code execution. <\/p>\n\n\n\n

Trigger conditions:<\/p>\n\n\n\n