CVE-2024-3094: Backdoor in XZ Utils library
CVE-2024-3094 present in the XZ Utils library may allow an attacker to use malicious code to compromise the integrity of affected systems
On March 29, a developer identified CVE-2024-3094, a critical vulnerability in XZ Utils (liblzma), a critical component in Debian sid systems. Andres Freund, the developer in question, after noticing unusual activity on his system, decided to take his findings to an open-source security forum. His investigation revealed the presence of a backdoor in versions 5.6.0 and 5.6.1 of XZ Utils, introduced by a contributor. This security incident has been cataloged under the identifier CVE-2024-3094, alerting the digital security community to the urgency of mitigating this threat.
In the compromised versions of XZ Utils, it was discovered that the injected malicious code, when executed, operated within the same process as the OpenSSH server (SSHD). This code altered the decryption routines on the OpenSSH server, thus allowing an attacker in possession of a particular private key to send arbitrary code through SSH. The instructions sent would be executed in a step prior to authentication, granting the attacker full control over the affected machines, even before the authentication process was completed, which represents a significant threat to the integrity of the compromised systems.
Technical analysis of the backdoor
The malicious code is integrated into the OpenSSH server (sshd process), since liblzma, which includes the backdoor, is a required component in some versions of OpenSSH. Next, we will see the flow it follows to execute the payload sent by the attacker:
1. The malicious code intercepts the RSA_public_decrypt function, originally used for RSA signature validation.
2. When an SSH client makes a connection, the malicious code obtains the value of N within the RSA structure sent to the RSA_public_decrypt function.
3. The last 240 bytes of the value “N” are then decrypted using the ChaCHa20 algorithm with a decryption key included in the malicious code.
0a 31 fd 3b 2f 1f c6 92 92 68 32 52 c8 c1 ac 28
34 d1 f2 c9 75 c4 76 5e b1 f6 88 58 88 93 3e 48
4. After this step, the validity of a 114-byte signature included in the decrypted data is verified using the Ed448 elliptic curve asymmetric signature algorithm, using the following public key:
0a 31 fd 3b 2f 1f c6 92 92 68 32 52 c8 c1 ac 28
34 d1 f2 c9 75 c4 76 5e b1 f6 88 58 88 93 3e 48
10 0c b0 6c 3a be 14 ee 89 55 d2 45 00 c7 7f 6e
20 d3 2c 60 2b 2c 6d 31 00
5. Finally, the backdoor retrieves the string that continues the validated signature. If the signature is valid, the text, which contains the command to be executed, is passed directly to system() for execution.
6. If the payload is not valid, the backdoor continues the execution of the RSA_public_decrypt function transparently and discards the received command.
Main features of CVE-2024-3094
The following are the main features of these vulnerabilities.
- CVE Identifier: CVE-2024-3094
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10 Critical)
- Publication Date: 03/29/2024
- Affected Software: xz-utils
- Affected versions:
- xz:5.6.0 and xz:5.6.1
Mitigation of the vulnerability CVE-2024-3094
All major Linux distributions recommend rolling back to versions prior to the inclusion of XZ Utils 5.6.0 and 5.6.1 or updating to more recent versions.
| Distribution | Affected versions |
|---|---|
| Red Hat | Fedora Linux 40 and Fedora Rawhide |
| Debian | No stable version of Debian is known to be affected. The compromised packages were part of Debian’s testing, unstable, and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 02-01-2024) to 5.6.1-1 (included). |
| Kali | The vulnerability impacted Kali from March 26 to March 29. If you updated your Kali installation on or after March 26, it is essential to apply the latest updates today to resolve this issue. However, if you did not update your Kali installation before March 26, you are not affected by this vulnerability. |
| OpenSUSE | OpenSUSE Tumbleweed and OpenSUSE Micro OS were affected between March 7 and March 28, 2024. |
| Alpine | Versions 5.6 prior to 5.6.1-r2 |
| Arch | Installer version 2024.03.01 Virtual machine images 20240301.218094 and 20240315.221711 Container images created between February 24, 2024 and March 28, 2024, included. |
Vulnerability Detection
The presence of the vulnerability CVE-2024-3094 can be identified by running the following command in a Linux environment that will show the current version of the library.
strings which xz | grep '5.6.[01]'
As part of its emerging vulnerability service, Tarlogic proactively monitors its clients’ perimeter to report, detect, and urgently notify them of the presence of this vulnerability, as well as other critical threats that could cause a serious impact on the security of their assets.
References