Just in Time

Just in Time Bulletin: CVE-2024-3094 XZ/liblzma Backdoor

Apr 04, 2024

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code. This is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

What is CVE-2024-3094?

CVE-2024-3094 documents a backdoor in the xz package. This backdoor was inserted by an actor with the intent to include an obfuscated backdoor into the software. While the motivation behind this backdoor remains unknown, the intent was to compromise specific distributions, as the backdoors were only applied to DEB or RPM packages for the x86-64 architecture built with gcc and the gnu linker.

On Friday, Red Hat released an “urgent security alert” warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.

The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).

How bad is this?

CVE	CWE	CVSSv2	CVSSv3	EPSS
CVE-2024-3094	CWE-506 Embedded Malicious Code	7.5	10.0	0.0005 Low

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund said. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes.’”

Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani Project “due to a violation of GitHub’s terms of service.” There are currently no reports of active exploitation in the wild.

Severity: Critical

How is it Exploited?

“The backdooring results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.”

Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely “under the right circumstances.”

“The end goal of the malicious backdoor introduced by CVE-2024-3094, is to inject code to the OpenSSH server (SSHD) that runs on the victim machine, and allows specific remote attackers (that own a specific private key) to send arbitrary payloads through SSH which will be executed before the authentication step, effectively hijacking the entire victim machine,” JFrog said.

Microsoft engineer and PostgreSQL developer, Andres Freund, has been credited with discovering and reporting the issue on Friday. The heavily obfuscated malicious code is said to have been introduced over a series of source code commits to the Tukaani Project on GitHub by a user named Jia Tan (JiaT75).

How do I protect myself?

Threats to open source software can affect any part of the supply chain. In this case, a nefarious or compromised maintainer appears to have inserted malicious code into the package. The nature of open source software allowed this vulnerability to be discovered, reported, and addressed in a short period of time due to the diligence and oversight of the community.

Thankfully, the number of systems affected by this backdoor is relatively low as this version of xz was not broadly distributed by distros and was caught quickly. The thoughtful, paced release process of first introducing new packages to “experimental” releases, prior to rolling them into “stable” releases served the community well by keeping the compromised packages contained to a narrow distribution. Cooperation between the distributions through venues such as the oss-security and distros mailing lists allowed quick and decisive resolution to this compromise.

Situations like this remind us all that we need to remain vigilant within the open source software ecosystem. Open source is about well-intentioned humans donating their time and talents to help solve problems, and sadly this can be compromised. As we all learn more details about the anatomy of this attack and the upstream and downstream response, it will give us time to reflect upon how we all can do more to secure open source software and help maintainers and consumers alike.

Who is affected by this?

Evidence shows that the packages are only present in Fedora 41 and Fedora Rawhide, and do not impact distros like Alpine Linux, Amazon Linux, Debian Stable, Gentoo Linux, Linux Mint, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise and Leap, and Ubuntu.

Out of an abundance of caution, Fedora Linux 40 users have been recommended to downgrade to a 5.4 build. Some of the other Linux distributions impacted by the supply chain attack are listed below:

Arch Linux (installation medium 2024.03.01, virtual machine images 20240301.218094 and 20240315.221711, and container images created between and including 2024-02-24 and 2024-03-28)
Kali Linux (between March 26 and 29)
openSUSE Tumbleweed and openSUSE MicroOS (between March 7 and 28)
Debian testing, unstable, and experimental versions (from 5.5.1alpha-0.1 to 5.6.1-1)

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert of its own, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable).

NopSec Thoughts?

NopSec is currently not aware of any exploitation taking place in the wild. Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani Project “due to a violation of GitHub’s terms of service.”

Managed Security Services