Cybersecurity blog header

CVE-2024-3094: Backdoor in XZ Utils library

CVE-2024-3094 has been listed as critical

CVE-2024-3094 present in the XZ Utils library may allow an attacker to use malicious code to compromise the integrity of affected systems

On March 29, a developer identified CVE-2024-3094, a critical vulnerability in XZ Utils (liblzma), a critical component in Debian sid systems. Andres Freund, the developer in question, after noticing unusual activity on his system, decided to take his findings to an open-source security forum. His investigation revealed the presence of a backdoor in versions 5.6.0 and 5.6.1 of XZ Utils, introduced by a contributor. This security incident has been cataloged under the identifier CVE-2024-3094, alerting the digital security community to the urgency of mitigating this threat.

In the compromised versions of XZ Utils, it was discovered that the injected malicious code, when executed, operated within the same process as the OpenSSH server (SSHD). This code altered the decryption routines on the OpenSSH server, thus allowing an attacker in possession of a particular private key to send arbitrary code through SSH. The instructions sent would be executed in a step prior to authentication, granting the attacker full control over the affected machines, even before the authentication process was completed, which represents a significant threat to the integrity of the compromised systems.

Technical analysis of the backdoor

The malicious code is integrated into the OpenSSH server (sshd process), since liblzma, which includes the backdoor, is a required component in some versions of OpenSSH. Next, we will see the flow it follows to execute the payload sent by the attacker:

1. The malicious code intercepts the RSA_public_decrypt function, originally used for RSA signature validation.

2. When an SSH client makes a connection, the malicious code obtains the value of N within the RSA structure sent to the RSA_public_decrypt function.

3. The last 240 bytes of the value “N” are then decrypted using the ChaCHa20 algorithm with a decryption key included in the malicious code.

0a 31 fd 3b 2f 1f c6 92 92 68 32 52 c8 c1 ac 28
34 d1 f2 c9 75 c4 76 5e b1 f6 88 58 88 93 3e 48

4. After this step, the validity of a 114-byte signature included in the decrypted data is verified using the Ed448 elliptic curve asymmetric signature algorithm, using the following public key:

0a 31 fd 3b 2f 1f c6 92 92 68 32 52 c8 c1 ac 28
34 d1 f2 c9 75 c4 76 5e b1 f6 88 58 88 93 3e 48
10 0c b0 6c 3a be 14 ee 89 55 d2 45 00 c7 7f 6e
20 d3 2c 60 2b 2c 6d 31 00

5. Finally, the backdoor retrieves the string that continues the validated signature. If the signature is valid, the text, which contains the command to be executed, is passed directly to system() for execution.

6. If the payload is not valid, the backdoor continues the execution of the RSA_public_decrypt function transparently and discards the received command.

Main features of CVE-2024-3094

The following are the main features of these vulnerabilities.

  • CVE Identifier: CVE-2024-3094
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10 Critical)
  • Publication Date: 03/29/2024
  • Affected Software: xz-utils
  • Affected versions:
    • xz:5.6.0 and xz:5.6.1
CVE-2024-3094 affects XZ Utils library

Mitigation of the vulnerability CVE-2024-3094

All major Linux distributions recommend rolling back to versions prior to the inclusion of XZ Utils 5.6.0 and 5.6.1 or updating to more recent versions.

Distribution Affected versions
Red Hat Fedora Linux 40 and Fedora Rawhide
Debian No stable version of Debian is known to be affected. The compromised packages were part of Debian’s testing, unstable, and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 02-01-2024) to 5.6.1-1 (included).
Kali The vulnerability impacted Kali from March 26 to March 29. If you updated your Kali installation on or after March 26, it is essential to apply the latest updates today to resolve this issue. However, if you did not update your Kali installation before March 26, you are not affected by this vulnerability.
OpenSUSE OpenSUSE Tumbleweed and OpenSUSE Micro OS were affected between March 7 and March 28, 2024.
Alpine Versions 5.6 prior to 5.6.1-r2
Arch Installer version 2024.03.01
Virtual machine images 20240301.218094 and 20240315.221711
Container images created between February 24, 2024 and March 28, 2024, included.

Vulnerability Detection

The presence of the vulnerability CVE-2024-3094 can be identified by running the following command in a Linux environment that will show the current version of the library.

strings which xz | grep '5.6.[01]'

As part of its emerging vulnerability service, Tarlogic proactively monitors its clients’ perimeter to report, detect, and urgently notify them of the presence of this vulnerability, as well as other critical threats that could cause a serious impact on the security of their assets.