CVE-2024-3094: XZ Utils Backdoor Leads to SSH Compromise

Introduction

On March 29th, 2024, a backdoor in a popular package called XZ Utils was identified/announced. In true fashion, the cyber security industry was thrown into panic on a Friday. Not only was it a Friday, but it was a bank holiday Friday for some… so we had an extra treat! In this post, we hope to give a brief overview of the CVE, the affected component, a high-level brief of the outcome of the CVE and some guidance on identifying and fixing a vulnerable system.

Note: This is not a technical dive into the CVE, it serves as more of a high-level overview with some initial guidance. For more technical insights and deep dives, we recommend checking the further reading section towards the bottom of this post.

What is XZ Utils?

XZ Utils, previously LZMA Utils, is a collection of lossless data compressors for Unix-like operating systems. This includes flavours of Linux, Mac OSX (etc).

Your system will likely include XZ right now, you can check by opening a terminal/command line and issuing the command:

$ xz

Should We Care? Why?

Short answer, YES. Very much so.

XZ Utils includes a library called “liblzma” which is used by “SSHD”. For anyone who deals with systems directly, SSH is an integral part of system administration and will commonly be internet facing. For the most part, SSH is protected behind authentication (password or key based) and requires an enabled user on the target system. This library has ultimately been backdoor’d to potentially allow access to malicious users.

Am I Vulnerable to CVE-2024-3094?

Chances are, if you have a flavour of Linux, or are a Mac OSX user, then you will likely have XZ installed. If you regularly update, you are likely vulnerable and will want to downgrade to a safe version. Current vulnerable versions right now are:

5.6.0 (released Feb. 24)
5.6.1 (released March 9)

This can be checked by issuing the following command:

$ xz --version

If the output is either of the above two versions, it is recommended to downgrade immediately.

There are some identification scripts circulating around LinkedIn, Twitter, etc. But they ultimately do the above command and just grep for the version numbers. For example, if the following command gives any output, it’s vulnerable.

$ xz --version | grep -E '5.6.0|5.6.1'

Fixing the Vulnerability

At the time of writing this post (31st March 2024), the public GitHub for XZ is disabled by GitHub and official releases are not available to download to your system. In the event it becomes re-enabled, please check here. If it’s back, head to the releases section and download the current recommended stable version, version 5.4.6.

For those who are using Mac OSX and Homebrew to install everything, by simply running the upgrade command you will be forced to downgrade. Their ’latest’ version has been updated to update.,or downgrade, to 5.4.6. The direction of the version number will depend on your current installed version. To see the discussion around this, see here.

For those who want to download the tar directly onto their system and replace the binary themselves, you can use a resource such as SourceForge. Right now the latest version available is also 5.4.6.

Please use your own judgement here with whether or not you can comfortably replace the binary, last thing you want to do is cause additional damage! Package managers are your friend if available!

Okay, so… What is a Backdoor?

A house has an obvious ‘front door’ that is the public facing, expected method of entry - but in some cases, there is a door around the back which grants the same entry. With regards to cyber security, a backdoor is ultimately another way of getting ‘into’ something. For example, imagine a piece of software or a website that is completely locked down by a username and password. Typically, you would enter these credentials into a login portal. Now let’s imagine this software or website had a secret page called ‘backdoor’ which gave access to anyones account without the password, you just give it the username and in you go. This backdoor would not be publicly known and used by malicious actors to subvert the security defence mechanisms. These can be implemented by malicious developers/companies or by hackers who have breached the platform in the past.

How was XZ Backdoor’d?

A malicious threat actor was able to commit code to the XZ Utils Github repository. This occurred on February 23, 2024 and included obfuscated code that altered the build process.

This new build process included the malicious file during the compilation of the liblzma library. Due to the malicious code being obfuscated and not in a readable cleartext state, it was ultimately difficult to detect. Due to SSHD including the compiled version of the liblzma library, Linux distributions are a primary target of this attack, and due to the common usage of SSH across Linux based systems, this attack will affect many users.

The malicious code which is compiled into the library ultimately subverts and alters the authentication flow during the RSA key checking steps. With control over the authentication flow, the library can grant access based on whatever rules or logic the attacker has set. For example, it could grant access to them if a specific key value is presented, recognising them as a ‘super user’. This is just an assumption/example of what could happen.

Introduction#

What is XZ Utils?#

Should We Care? Why?#

Am I Vulnerable to CVE-2024-3094?#

Fixing the Vulnerability#

Okay, so… What is a Backdoor?#

How was XZ Backdoor’d?#

Further Reading#