CVE-2024-3094 Vulnerability (XZ Backdoor)
Security analysts have recently discovered a critical vulnerability with potentially devastating repercussions. According to an urgent security advisory, two iterations of the widely used data compression tool, XZ Utils (formerly known as LZMA Utils), have been compromised with malicious code. This code enables unauthorized remote access to affected systems.
This security breach, identified as CVE-2024-3094, is rated with a CVSS score of 10.0, signifying the highest level of severity. It affects versions 5.6.0 (released on February 24, 2024) and 5.6.1 (released on March 9, 2024) of XZ Utils.
The exploit involves a sophisticated manipulation of the liblzma build process. Specifically, a prebuilt object file is extracted from a disguised test file within the source code. This object file is then used to alter specific functions within the liblzma code, perpetuating the compromise.
Table of Contents
The CVE-2024-3094 Vulnerability Allows Attackers to Send Arbitrary Payloads
Th threatening process leads to a modified version of the liblzma library, capable of intercepting and altering data interactions with any software that utilizes it.
More precisely, the bad code embedded within the library is crafted to disrupt the sshd daemon process, a component of SSH (Secure Shell), through the systemd software suite. This manipulation potentially grants a threat actor the ability to compromise sshd authentication and illicitly access the system remotely, contingent upon certain conditions being met.
The ultimate aim of the harmful backdoor introduced by CVE-2024-3094 is to inject code into the OpenSSH server (SSHD) running on the victimized machine. This would enable specific remote attackers, in possession of a particular private key, to dispatch arbitrary payloads via SSH. These payloads would execute prior to the authentication stage, effectively seizing control of the entire victimized system.
The CVE-2024-3094 Vulnerability Was Likely Intentionally Introduced by a Fraud-Related Actor
The intricately concealed malicious code appears to have been integrated through a sequence of four commits to the Tukaani Project on GitHub by a user identified as Jia Tan (JiaT75).
Considering the sustained activity spanning several weeks, it suggests that the committer is either directly implicated or has experienced a significant compromise of their system. However, the latter scenario seems less plausible, given their engagement on various forums regarding the purported 'fixes.'
GitHub, now under the ownership of Microsoft, has taken action by deactivating the XZ Utils repository managed by the Tukaani Project, citing a breach of GitHub's terms of service. As of now, there have been no reports of active exploitation in the wild.
Investigations indicate that these compromised packages are exclusively found in Fedora 41 and Fedora Rawhide distributions. Other major distributions such as Alpine Linux, Amazon Linux, Debian Stable, Gentoo Linux, Linux Mint, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise and Leap, and Ubuntu remain unaffected by this security issue.
Mitigating the CVE-2024-3094 Backdoor Vulnerability
Users of Fedora Linux 40 have been advised to revert to a 5.4 build. Additionally, several other Linux distributions have been affected by the supply chain attack, including:
Arch Linux (installation medium 2024.03.01, virtual machine images 20240301.218094 and 20240315.221711, and container images created between February 24, 2024, and March 28, 2024)
- Kali Linux (between March 26 and March 29)
- openSUSE Tumbleweed and openSUSE MicroOS (between March 7 and March 28)
- Debian testing, unstable, and experimental versions (ranging from 5.5.1alpha-0.1 to 5.6.1-1)
This development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue its own alert, advising users to revert XZ Utils to a version unaffected by the compromise, such as XZ Utils 5.4.6 Stable.
