Critical Backdoor Found in XZ Utils (CVE-2024-3094) Enables SSH Compromise
A critical vulnerability (CVE-2024-3094) was discovered in the XZ Utils library on March 29th, 2024.
This severe flaw allows attackers to remotely execute arbitrary code on affected systems, earning it the highest possible score (10) on both the CVSS 3.1 and CVSS 4.0 scoring systems due to its immediate impact and wide scope.
What is XZ Utils?
XZ Utils is a collection of tools for the xz compression format, offering high compression ratios and fast decompression. The xz format utilizes the LZMA2 compression algorithm (an improved version of LZMA) and is considered the successor to the older lzma format, providing better compression and flexibility in the compression process.
The XZ Utils package typically includes several command-line tools, among which the most commonly used is xz itself, for compressing and decompressing files.
Sneaky Backdoor in Test Files
On March 29th, a developer named Andres Freund issued a security advisory regarding a backdoor he found in the upstream xz/liblzma 5.6.0 and 5.6.1 versions, leading to SSH server compromise. After he had weird symptoms around liblzma where SSH login took him too much CPU, and debugging with valgrind he figured out that the xz tarballs have been backdoored.
The backdoor was not directly inserted into the source code of liblzma that is visible in version control systems or utilized by XZ directly. Instead, it was hidden within binary test files in the XZ compressed format. These files appeared benign and were theoretically part of the library’s test suite.
A sophisticated method was employed where the backdoor was split into parts and concealed within two XZ compressed files. These files were disguised as ordinary test files, evading detection from casual inspection or automated tools that scan for malicious patterns.
Those crafted test files can be found here:
tests/files/bad-3-corrupt_lzma2.xz (cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0, 74b138d2a6529f2c07729d7c77b1725a8e8b16f1)
tests/files/good-large_compressed.lzma (cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0, 74b138d2a6529f2c07729d7c77b1725a8e8b16f1)
Figure 1. Different version of build-to-host.m4 file in the released tarballs
Building a Backdoor
Upon decompression and execution, these files collaboratively manipulated the build process of liblzma. The process involved extracting and executing obfuscated script code, leading to the injection of malicious code into the build output.
This manipulation effectively appended malicious data to the build process without raising suspicion, as it mimicked legitimate testing adjustments.
The deobfuscated code can be found here.
Trojan Horse Injects Backdoor
The attackers introduced a new object related to the CRC64 algorithm, claiming it was an improvement. This object was, in fact, a trojan that, when included in the build process, embedded the final backdoor into the liblzma library.
The essence of the backdoor was to intercept function calls related to CRC32 and CRC64 resolution, replacing them with malicious variants that could execute arbitrary code under certain conditions, likely tied to specific, crafted inputs.
Hijacking SSH with Linker Trick
The backdoor installed an “audit hook” into the dynamic linker of Linux, a critical component that resolves library dependencies at runtime. By hooking into this mechanism, the backdoor could alter the behavior of the linker to intercept and modify the resolution of symbols, particularly those involved in RSA public key decryption.
This manipulation meant that during SSH key authentication, the backdoor could substitute the legitimate RSA decryption function with its own, allowing for unauthorized access if the input matched a certain condition likely known only to the attacker.
Stealth and Implications
The backdoor’s sophistication lay in its ability to hide within the normal build process and manipulate low-level system components undetected. Targeting the dynamic linker and encryption routines posed a severe threat to system security, potentially allowing attackers to bypass authentication mechanisms.
How to Look for the XZ Package with Mend Container?
With the Mend Container solution, you can effortlessly scan individual images or integrate your container registry to scan your entire registry thoroughly. Additionally, leverage our in-house container reachability analysis to check if the vulnerability is reachable. Our updated scanner will enhance your knowledge with the most updated data regarding this vulnerability.
Vulnerable Linux Distros and Their Fix Versions:
| Distro | Distro Versions | Affected? | Fixed versions | References |
| Alpine | edge | Affected | 5.6.0-r2, 5.6.1-r2 | https://security.alpinelinux.org/vuln/CVE-2024-3094 |
| Debian | Unstable (sid, trixie) | Debian stable versions are not affected | 5.6.1+really5.4.5-1 | https://security-tracker.debian.org/tracker/CVE-2024-3094 |
| Ubuntu | – | Not Affected | – | https://ubuntu.com/security/CVE-2024-3094 |
| RHEL | – | Not Affected | – | https://access.redhat.com/security/cve/CVE-2024-3094 |
| Fedora | 40 | Affected | – | https://bodhi.fedoraproject.org/updates/FEDORA-2024-d02c7bb266 |
| Fedora | 41 | Affected | – | https://bodhi.fedoraproject.org/updates/?packages=xz |
| Fedora | Rawhide | Affected | – | https://bodhi.fedoraproject.org/updates/?packages=xz |
| Amazon Linux | – | Not Affected | – | https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ |
| OpenSUSE | Tumbleweed | Affected | 5.6.1.revertto5.4 | https://news.opensuse.org/2024/03/29/xz-backdoor/ |
| Arch Linux | – | Affected | 5.6.1-2 | https://archlinux.org/news/the-xz-package-has-been-backdoored/ |
Due to a conflict between the Debian advisory and the official announcement, customers are expected to detect false positive alerts on older versions than 5.6.0. We recommend either upgrading to the matched fixed version listed above or downgrading to the latest uncompromised version, which is 5.4.6
References
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
https://openwall.com/lists/oss-security/2024/03/29/4
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27https://seclists.org/oss-sec/2024/q1/268
The post Critical Backdoor Found in XZ Utils (CVE-2024-3094) Enables SSH Compromise appeared first on Mend.
*** This is a Security Bloggers Network syndicated blog from Mend authored by Tom Abai. Read the original post at: https://www.mend.io/blog/critical-backdoor-found-xz-utils-cve-2024-3094/
