Last updated at Fri, 05 Apr 2024 20:45:11 GMT
On Friday, March 29, after investigating anomalous behavior in his Debian sid environment, developer Andres Freund contacted an open-source security mailing list to share that he had discovered an upstream backdoor in widely used command line tool XZ Utils (liblzma). The backdoor, added by an open-source committer who had been working on the tool for several years, affects XZ Utils versions 5.6.0 and 5.6.1. It has been assigned CVE-2024-3094.
According to Red Hat’s advisory –
“The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present.
The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.”
Community analysis of the backdoor is ongoing. Fortunately, thanks to Freund’s discovery, the backdoored version of the utility did not affect stable branches of most major Linux distributions and is unlikely to have made it into any production systems. The most at-risk category of users is likely developers, many of whom tend to run bleeding-edge versions of Linux.
Mitigation Guidance
XZ Utils users should downgrade to an older version of the utility immediately (i.e., any version before 5.6.0) and update their installations and packages according to distribution maintainer directions.
Major Linux distributions and package maintainers have published guidance on updating. Below is a list of affected and unaffected distributions — please refer to individual distribution and package advisories for the latest information and remediation guidance.
Affected distributions (as of March 31)
unstable / sid only — “versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1.”
Systems updated between March 26 and March 29, 2024
Tumbleweed and MicroOS rolling releases between March 7 and March 28, 2024
- Installation medium 2024.03.01
- Virtual machine images 20240301.218094 and 20240315.221711
- Container images created between and including 2024-02-24 and 2024-03-28
Fedora Rawhide and Fedora 40 Linux beta
The following distributions have indicated they are not affected:
Please note that information on affected versions or requirements for exploitability may change as we learn more about the threat.
Rapid7 Customers
InsightVM and Nexpose customers can assess their exposure to CVE-2024-3094 with authenticated and agent-based package version checks, available as of the April 1, 2024 content release.
InsightCloudSec customers can assess their cloud resources using Host and Container Vulnerability Assessment capabilities. When enabled, customers can go to ‘Vulnerabilities > Software’ and add the following filter:
- Software Name contains xz
- Software Version starts with 5.6
Customers can also search for ‘xz’ with the ‘Show Software without Vulnerabilities’ box checked to see all deployed versions of the software.
Rapid7 Labs has shared this Velociraptor artifact to help search for installed vulnerable packages.
Blog Updates
April 2, 2024: Updated to note that InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-3094 with authenticated and agent-based vulnerability checks in today's (April 1) content release. Customers using the latest version of InsightCloudSec can also assess their cloud resources for exposure.
