CVE Advisory: CVE-2024-3094 - Security Compromise in XZ Utils

Introduction

On March 29th, a security incident surfaced involving XZ Utils, a widely utilized data compression package integrated into major Linux distributions. Malicious code, allowing unauthorized remote SSH access, was discovered within versions 5.6.0 and 5.6.1 of XZ Utils. This exploit has been formally identified as CVE-2024-3094 and assigned a critical CVSS score of 10. 

Background

XZ Utils fell victim to a sophisticated supply chain attack where attackers targeted the liblzma library, a crucial dependency utilized by OpenSSH. This attack allowed for the injection of code into an OpenSSH server, resulting in the potential for remote code execution (RCE).

The liblzma build process employs a series of intricate obfuscations to extract a prebuilt object file from a disguised test file within the source code. This object file is then utilized to modify specific functions within the liblzma library. Any software utilizing this modified version of the liblzma library is susceptible to data interception, modification, and breaches.

The malicious code was promptly discovered, and infected only the two most recent versions of the package, 5.6.0 and 5.6.1, both of which were released within the last month.

Affected Versions

The following table describes impacted distributions, along with a corresponding recommendation for each distribution.

Table 1: A table listing impacted distributions, operating systems, and packages, along with recommendations to address the vulnerability.

Technical Details

The goal of the malicious backdoor implementing CVE-2024-3094 is to inject code into an OpenSSH server (SSHD) running on the victim's machine and allow remote attackers (who possess a certain private key) to send an arbitrary payload via SSH, which is executed before the authentication step and executes commands on the victim’s machine.

This supply chain attack uses multiple stages to decrypt obfuscated payloads and modify the build process of the XZ Utils tools. The obfuscated/encrypted stages and later binary backdoor are hidden in these two test files: 

• tests/files/bad-3-corrupt_lzma2.xz
• tests/files/good-large_compressed.lzma

The figure below depicts the attack sequence an attacker could exploit. 

Figure 1: A diagram of the attack flow.

The build process uses the following command to ensure that the victim’s system is running on Linux and possesses a x86_64 architecture:

if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1); then

In addition, the build process checks whether the .rpm package is Debian or Red Hat-based. It also inspects certain environmental variables such as TERM and LANG. The TERM variable is set after SSH client and server authentication. The malicious payload verifies that the TERM variable is not set and that the LANG variable is set, and ensures that the running binary is /usr/sbin/sshd as it won’t be relevant with other binaries.

After deciphering and decompressing the malicious payload over multiple stages, the payload is injected into liblzma.

The payload modifies the behavior of the RSA_public_decrypt function, which is used in verification of signatures. The payload decrypts the RSA public modulus N value from the attacker’s request and decrypts it using the ChaCha20 symmetric stream cipher. The validation of the decrypted data is done using the Ed448 elliptic curve signing algorithm.

Then, the decrypted payload is executed on the user’s SSH server. The backdoor contains only the public key, which ensures that only the attackers can generate valid payloads for the backdoor. The signature is bound to the host’s public key, meaning that a valid signature for one host cannot be reused for a different host.

Recommendations

In response to this threat, the Cybersecurity and Infrastructure Security Agency (CISA) has issued directives for affected individuals and organizations. XZ Utils developers and users are strongly advised to downgrade to a trusted, unaffected version of XZ Utils predating 5.6.0, such as 5.4.6 stable, or upgrade to a newer fixed version, if available.

Additionally, thorough audits of system logs and network traffic are encouraged to identify any signs of suspicious activity. Any findings should be promptly reported to CISA for further investigation.

How To Detect CVE-2024-3094

To check if your version of XZ Utils is impacted (5.6.0 or 5.6.1) run the following command:

$(which xz) --version | grep '5\.6\.[01]'

Zscaler Coverage

The Zscaler ThreatLabz team has deployed protection.

Zscaler Advanced Threat Protection: 

• Linux.Exploit.CVE-2024-3094

Zscaler continues to monitor activities, through our telemetry data, potentially exploiting this vulnerability.

References

• https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/#who-is-affected-by-cve-2024-3094
• https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
• https://vulcan.io/blog/alert-cve-2024-3094
• https://news.opensuse.org/2024/03/29/xz-backdoor/
• https://pkgs.alpinelinux.org/package/edge/main/x86/xz
• https://lists.debian.org/debian-security-announce/2024/msg00057.html