On Friday, March 29, developer Andres Freund detected unusual behavior in his Debian sid environment. In response, he contacted an open-source security mailing list to report his discovery of an upstream backdoor in the commonly used command-line tool XZ Utils (liblzma). The backdoor was surreptitiously added by a long-time open-source contributor, affecting XZ Utils versions 5.6.0 and 5.6.1, and assigned the CVE-2024-3094 identifier.
What is CVE-2024-3094
The XZ library, also known as liblzma, is a widely used open-source data compression library, providing high compression ratios and fast decompression speed. It is commonly integrated into various software applications and operating systems to efficiently handle compression and decompression tasks. This exploit stems from a supply chain compromise impacting the latest versions of XZ tools and libraries, integral components in various Linux distributions. Within versions 5.6.0 and 5.6.1 of these libraries, malevolent code infiltrates functions during the liblzma build process, compromising the integrity of liblzma, a vital data compression library.
While seemingly unrelated, this compromise has ramifications beyond the realm of compression. The compromise of XZ Utils, integrated with SSH for remote system connections, poses a critical security risk due to potential interference with authentication processes. The injected code within liblzma may allow unauthorized access to vulnerable systems under certain conditions.
Delving into the vulnerability
The objective of the malicious backdoor, as demonstrated by CVE-2024-3094 and analyzed by the community, is to inject code into an OpenSSH server (SSHD) on the victim’s system. This enables remote attackers with specific private keys to send arbitrary payloads via SSH. These payloads are executed before the authentication step, allowing the execution of commands on the victim’s machine.
This supply chain attack comprises several stages involving the decryption of obfuscated payloads and manipulation of the XZ Utils tools’ build process. The obfuscated and encrypted stages, along with the subsequent binary backdoor, are concealed within two test files:
- tests/files/bad-3-corrupt_lzma2.xz
- tests/files/good-large_compressed.lzma
The attack unfolds through the following steps:
- The backdoor script code is embedded within the source code (tarballs) of XZ Utils versions 5.6.0 and 5.6.1.
- During the software installation process, the backdoor code is invoked as part of the configure step.
- Under specific conditions, the Makefile is altered to include the backdoor code. Following this modification, the liblzma library gets compiled to include the backdoor code.
- As libzma is a dependency of the OpenSSH server, the malicious payload is injected into the sshd process.
- The injected backdoor code intercepts OpenSSH’s RSA_public_decrypt function, activated during client authentication. It manipulates the authentication key/data controlled by the connecting SSH client (attacker) within the SSH authentication process, embedding the malicious payload.
- Following this, the injected backdoor code decrypts the attacker’s payload and initiates its execution on the victim machine.
Affected Versions and Protective Measures
The following distributions are impacted by the vulnerability. Please consult individual distribution and package advisories for the most recent details and remediation instructions.
| Distro | Affected systems | Recommendation |
| Fedora | Fedora Rawhide and Fedora 40 Linux beta |
update to xz-5.4.6 |
| Debian | Sid, experimental, unstable | Update to 5.6.1+really5.4.5-1. |
| Kali | Systems updated between March 26 and March 29, 2024 | Update to 5.6.1+really5.4.5-1. |
| OpenSUSE | Rolling release distribution openSUSE Tumbleweed and openSUSE MicroOS included this version between March 7 and March 28. | Update to 5.6.1.revertto5.4 |
| Arch Linux | · installation medium 2024.03.01
· virtual machine images 20240301.218094 and 20240315.221711 · container images created between and including 2024-02-24 and 2024-03-28 |
Update to 5.6.1-2 |
Apply patches released by the XZ Utils project and individual distribution to address the backdoor vulnerability. Ensure systems are updated to versions that do not contain the malicious code.
Seqrite Protection
All Quick Heal and Seqrite customers are protected against this threat through the following signatures:
- Exploit.48727.GC
- Backdoor.48726.GC
To know more about Quick Heal and Seqrite’s range of digital protection, please visit,
References:
https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://www.linkedin.com/pulse/xz-utils-backdoor-supply-chain-vulnerability-cve-2024-3094-aiohc/
Authors:
Vinay Kumar
Adrip Mukherjee
Adhokshaj Mishra
