XZ Utils Backdoor Vulnerability (CVE-2024-3094) Advisory

XZ Utils Backdoor Vulnerability (CVE-2024-3094) Advisory

abril 1, 2024 | NSFOCUS

Overview

NSFOCUS CERT recently detected that a backdoor vulnerability in XZ Utils (CVE-2024-3094) was disclosed from the security community, with a CVSS score of 10. Because the SSH underlying layer relies on liblzma, an attacker could exploit this vulnerability to bypass SSH authentication and gain unauthorized access to affected systems, allowing arbitrary code execution. After investigation, it is found that the tarball upstream software package of xz infects a backdoor program. The backdoor extracts the .o file from the disguised test file during the building process, and then uses the extracted file to modify specific functions in liblzma, resulting in the generation of a modified liblzma library. Any software linked to this library may use it to intercept and modify data interaction with this library. This backdoor program exists in the complete download package. Affected users are strongly recommended to take protective measures as soon as possible.

XZ Utils is a suite widely used in POSIX compatible systems such as Linux and Unix to process .xz files, including components such as liblzma and xz, which have been integrated into distribution repositories such as Debian, Ubuntu and Centos.

Reference link:

https://www.openwall.com/lists/oss-security/2024/03/29/4
https://access.redhat.com/security/cve/cve-2024-3094

Affected Scope

Affected Versions

  • XZ Utils = 5.6.0-5.6.1

Note: No malicious code has been found in the Git distribution version of XZ yet, and it only exists in a complete download package.

Affected Linux distributions currently known:

Fedora Rawhide (development version)

Fedora 41

MACOS HomeBrew x64

openSUSE Tumbleweed and MicroOS (released from March 7 to 28)

Kali Linux (xz-utils 5.6.0-0.2 released from March 26 to 28)

Debian 5.5.1alpha-0.1 to 5.6.1-1 (xz test version)

Unaffected version

  • XZ Utils < 5.6.0
    Note: As the developer of the implanted backdoor has been involved in maintenance since 2021, it is recommended that users downgrade XZ Utils to 5.4 or earlier for safety reasons. Linux distributions such as CentOS, Redhat, Ubuntu, Debian, and Fedora are not affected.

Vulnerability Detection

Manual troubleshooting

You can run the following command to determine whether xz is an affected version:

You can also use scripts published on Openwall to check whether the system is infected:

Mitigation Method

As of this writing, no official announcement or security update has been released for this backdoor vulnerability. Users can downgrade xz-utils to a version earlier than 5.6.0 or replace it with components such as 7zip in the application.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.

Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.

Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.