CVE-2024-3094: New Vulnerability Impacts XZ Utils - FOSSA (2024)

Table of Contents
CVE-2024-3094 Background and Discovery How the XZ Utils Vulnerability Works Finding and Fixing the XZ Utils Vulnerability FAQs

On Friday, March 29, a Microsoft developer revealed a major vulnerability impacting XZ Utils, a popular collection of lossless data compression tools and libraries.

The vulnerability was later confirmed by Red Hat and assigned CVE-2024-3094. It was given a CVSS severity score of 10.0, the highest possible.

CVE-2024-3094 is considered such a serious threat because it allows for potential remote code execution, giving attackers the ability to run malicious software, access sensitive data, or gain control over the affected systems from anywhere in the world.

If there is a piece of good news related to the exploit, it’s that the vulnerability was likely caught before doing widespread harm. Although XZ Utils is used across the Linux world, the vulnerability impacts only XZ Utils versions 5.6.0 and 5.6.1. And, as of this writing, CVE-2024-3094 is only confirmed to impact Fedora Rawhide, Fedora Linux 40, Debian (testing, unstable, and experimental distributions, versions ranging from 5.5.1alpha-0.1 up to and including 5.6.1-1), Arch Linux, Kali Linux, openSUSE Tumbleweed, and openSUSE MicroOS.

The recommended mitigation is to immediately downgrade to a safe version, such as 5.4.6 Stable. Additionally, since vulnerable versions of XZ Utils have been distributed in the Linux ecosystems mentioned above, you should follow the applicable vendor guidance for reverting and/or upgrading Linux distributions.

In this blog, we’ll discuss the nature of the XZ Utils vulnerability, the unusual way it was discovered, and best practices for remediating the issue.

See Also
What is a CVE?New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active ExploitationCritical XZ Utils Supply Chain Compromise Affects Multiple Linux Distributions (CVE-2024-3094)A guide to protecting and managing SSH Keys to mitigate security risks | Encryption Consulting

RELATED: FOSSA Package Index for Zero-Day Vulnerability Management

CVE-2024-3094 Background and Discovery

News of the XZ Utils vulnerability first came to light in an Openwall thread from Microsoft developer Andres Freund.

Freund posted that he observed degraded performance related to part of Debian sid installations. Specifically, SSH logins a) consumed more CPU than expected, and b) caused valgrind errors.

These issues led Freund to investigate. At first, he thought Debian’s package may have been compromised. However, further exploration led Frend to conclude that the issue was actually with the upstream XZ repo and tarballs.

It also soon became clear that CVE-2024-3094 was no ordinary software supply chain attack. Rather, it was the result of a sophisticated, multi-year process that culminated in a bad actor — perhaps/probably a state-sponsored one — becoming a trusted contributor to XZ Utils and inserting a backdoor.

See Also
Fix Available for Double Free Vulnerability in OpenSSH 9.1 (CVE-2023-25136) - SOCRadar® Cyber Intelligence Inc.

In November 2021, GitHub user Jia Tan (“JiaT75”) made what appears to be their first commit to an open source project. In 2022, Tan submitted a patch to the XZ Utils mailing list; several sockpuppet accounts responded to Tan’s submission pressuring the original XZ Utils project maintainer to add co-maintainers. (The intent of these efforts was seemingly to convince the original maintainer to add Tan to the project.)

In the months that followed, Tan continued to contribute to XZ Utils, gaining trust and stature. This ultimately resulted in Tan being able to create and release compromised tarballs in XZ Utils 5.6.0 and 5.6.1.

How the XZ Utils Vulnerability Works

The XZ Utils vulnerability introduces a backdoor that allows an attacker to send hidden commands via sshd when establishing an SSH connection. By providing a specific private key (known only to the attacker), arbitrary commands can be sent to the affected system prior to the authentication step, enabling unauthenticated remote code execution.

Here’s a summary of requirements to be affected by the malicious code:

  1. Using a .deb or .rpm based distro that uses glibc
    a. amd64/x86_64 based architecture
  2. 5.6.0 or 5.6.1 of xz or liblzma installed
  3. Publicly accessible sshd (although privately accessible may be vulnerable)

Here’s a summary of how the attack works on an affected system:

  1. Backdoor Establishment: The backdoor is put in place, having been intricately compiled from various test files, which were disguised as legitimate inputs and embedded within the build process through a complex scheme of scripts and modified configuration files. This setup ensures the backdoor is activated, listening for incoming SSH connections.

  2. Authentication Process: When a client tries to authenticate, it sends its public key to the server as part of the standard SSH handshake, initiating the authentication dialogue.

  3. Interception by Malicious Code: At this juncture, the maliciously inserted code that has taken over the RSA_public_decrypt function springs into action. This function, meant for validating RSA signatures, is now repurposed to analyze the data received during the handshake.

  4. Revealing Hidden Commands: The tampered function decrypts certain parts of the incoming authentication data, unveiling hidden instructions that were embedded within what is typically a secure RSA signature process.

  5. Signature Authentication: The decrypted data is subjected to a verification process to authenticate its origin. This step ensures that only instructions from the attackers, who have the required private key, are accepted and processed further.

  6. Command Execution: Upon successful verification indicating that the instructions originate from the attackers, these instructions are executed on the server. This critical step allows the attackers to perform unauthorized actions on the system without completing the standard authentication protocol.

  7. Seamless Fallback: If the incoming data does not conform to the attackers' specifications or fails the verification stage, the backdoor reverts to the legitimate functionality of the RSA_public_decrypt function. This behavior ensures the backdoor remains hidden during regular SSH operations, maintaining the appearance of normalcy.

Finding and Fixing the XZ Utils Vulnerability

As discussed, thanks to Andres Freund’s timely discovery, the XZ Utils vulnerability appears to impact only a handful of distributions. It’s highly recommended to a) downgrade to a safe version of XZ Utils, and/or b) follow vendor guidance for mitigating the vulnerability in:

  • Fedora Rawhide and Fedora Linux 40
  • Arch Linux
  • Kali Linux
  • openSUSE Tumbleweed and openSUSE MicroOS
  • Certain testing, unstable, and experimental distributions of Debian

FOSSA customers can quickly verify whether they are using the vulnerable packages anywhere in their organization by navigating to Package Index and searching for CVE-2024-3094. Any impacted packages, projects, and teams will be returned in the search results.

CVE-2024-3094: New Vulnerability Impacts XZ Utils - FOSSA (2024)

FAQs

CVE-2024-3094: New Vulnerability Impacts XZ Utils - FOSSA? ›

It was given a CVSS

CVSS
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat.
https://en.wikipedia.org › wiki › Common_Vulnerability_Scor...
severity score of 10.0, the highest possible. CVE-2024-3094 is considered such a serious threat because it allows for potential remote code execution, giving attackers the ability to run malicious software, access sensitive data, or gain control over the affected systems from anywhere in the world.

Know More
What is CVE-2024-3094 backdoored XZ Utils vulnerability? ›

On 29 March 2024, the cybersecurity community turned its attention to a newly disclosed vulnerability in XZ Utils, identified as CVE-2024-3094. This backdoor vulnerability has sent ripples across the tech world, primarily due to the widespread use of XZ Utils for lossless data compression in Linux and macOS systems.

Discover More Details
What is the CVE number for XZ Utils? ›

1 of XZ Utils, introduced by a contributor. This security incident has been cataloged under the identifier CVE-2024-3094, alerting the digital security community to the urgency of mitigating this threat.

Continue Reading
How bad is the xz vulnerability? ›

The xz backdoor was a vulnerability caused by malicious code hidden in XZ Utils, a widely used data compression library. The xz backdoor allowed unauthorized individuals to remotely access and manipulate systems on which the compromised library is installed.

Learn More
Which version of XZ Utils is safe? ›

The US Cybersecurity and Infrastructure Security Agency (CISA) advised developers and users to downgrade XZ Utils to an earlier, uncompromised version, such as XZ Utils 5.4. 6 Stable. If the output says xz (XZ UTils) 5.6. 1 or liblzma 5.6.

Learn More
What is the CVE-2024-3094 vulnerability? ›

What is the impact of CVE-2024-3094? The vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the affected target, as the user running the SSH service.

Keep Reading
Who is behind the XZ backdoor? ›

On 29 March 2024, software developer Andres Freund reported that he had found a maliciously introduced backdoor in the Linux utility xz within the liblzma library in versions 5.6. 0 and 5.6. 1 released by an account using the name "Jia Tan" in February 2024.

Get More Info Here
What is the use of XZ Utils? ›

XZ Utils (previously LZMA Utils) is a set of free software command-line lossless data compressors, including the programs lzma and xz, for Unix-like operating systems and, from version 5.0 onwards, Microsoft Windows. For compression/decompression the Lempel–Ziv–Markov chain algorithm (LZMA) is used.

Read More
Which versions of xz are vulnerable? ›

Although XZ Utils is used across the Linux world, the vulnerability impacts only XZ Utils versions 5.6. 0 and 5.6.

Explore More
What is xz hack? ›

In this case, the hackers had infiltrated a popular open source program called XZ. Slowly, over the course of two years, they transformed XZ into a secret backdoor. And if they hadn't been caught, they could have taken control of large swaths of the internet.

See More

What is the problem with XZ Utils? ›

The xz Utils code had been tampered with to include a malicious “backdoor” that would ultimately give attackers the same level of control over affected systems as authorized administrators.

Get More Info
How common are XZ Utils? ›

xz Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux.

Keep Reading
How do you know if you are affected by xz? ›

Use the XZ Backdoor Detector

It checks whether a malicious version of xz or liblzma is installed on the system. The tool also checks whether the currently installed SSH server (sshd) links to liblzma. SSH servers that do not link to lzma are not affected by CVE-2024–3094 as the backdoor will never activate.

Explore More
What versions of XZ Utils are compromised? ›

XZ Utils, a popular data compression software, was significantly compromised when versions 5.6. 0 and 5.6. 1 contained malicious code, posing a risk of unauthorized system access. The compromise, which affected various Linux distributions, underscores software integrity's pivotal role in cybersecurity.

Know More
What is malicious code in XZ Utils? ›

Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution. Dear all, The malicious code inserted into the open-source library XZ Utils, a widely used package present in major Linux distributions, is also capable of facilitating remote code execution, a new analysis has revealed.

Get More Info Here
What distros are affected by xz? ›

As of now, the affected XZ Util versions have exclusively appeared in unstable and beta editions of Fedora, Debian, Kali, openSUSE, and Arch Linux distributions. Debian and Ubuntu have confirmed that none of their stable releases contain the compromised packages, ensuring user security.

Discover More Details
What does XZ Utils do? ›

XZ Utils can compress and decompress the xz and lzma file formats. Since the LZMA format has been considered legacy, XZ Utils by default compresses to xz. In most cases, xz achieves higher compression rates than alternatives like gzip and bzip2. Decompression speed is higher than bzip2, but lower than gzip.

Show Me More
What is backdoor vulnerability? ›

It is a vulnerability that gives an attacker unauthorized access to a system by bypassing normal security mechanisms. This threat works in the background, hiding itself from the user, and it's very difficult to detect and remove.

Continue Reading
Which distros are affected by the xz backdoor? ›

The following distros had a vulnerable xz, and downgraded it to an older version, will still require an update to get the downgrade.
  • Debian (Trixie/Unstable)
  • Devuan (Unstable)
  • Fedora Rawhide.
  • Kali Rolling.
  • Opensuse Tumbleweed.
  • Termux.
  • Ubuntu 24.04 (only in dev builds, not in the stable channel)
Apr 5, 2024

Read More
What version of xz has backdoor? ›

Affected XZ Versions

The XZ versions affected by this backdoor at the time of writing are versions 5.6. 0 and 5.6. 1. These versions are luckily not used in most stable versions of Linux distributions.

Discover More
Top Articles
How are microbes used to make bread?
The Taste of Sourdough Bread | What Makes It Unique? - Grant Bakes
Www.mytotalrewards/Rtx
Northern Counties Soccer Association Nj
#ridwork guides | fountainpenguin
Research Tome Neltharus
Exam With A Social Studies Section Crossword
Wild Smile Stapleton
What Happened To Father Anthony Mary Ewtn
biBERK Business Insurance Provides Essential Insights on Liquor Store Risk Management and Insurance Considerations
Does Publix Have Sephora Gift Cards
Sams Gas Price Fairview Heights Il
Truck Toppers For Sale Craigslist
Beebe Portal Athena
Urban Dictionary: hungolomghononoloughongous
Vistatech Quadcopter Drone With Camera Reviews
Hocus Pocus Showtimes Near Amstar Cinema 16 - Macon
E22 Ultipro Desktop Version
Nine Perfect Strangers (Miniserie, 2021)
Huntersville Town Billboards
Ge-Tracker Bond
Schedule An Oil Change At Walmart
Veracross Login Bishop Lynch
Pearson Correlation Coefficient
Cain Toyota Vehicles
Weve Got You Surrounded Meme
Netwerk van %naam%, analyse van %nb_relaties% relaties
Cb2 South Coast Plaza
At 25 Years, Understanding The Longevity Of Craigslist
Wood Chipper Rental Menards
Darrell Waltrip Off Road Center
Walgreens On Bingle And Long Point
Labcorp.leavepro.com
JVID Rina sauce set1
Lbrands Login Aces
Vht Shortener
Weather Underground Durham
Ilabs Ucsf
Otis Offender Michigan
Khatrimmaza
Flaky Fish Meat Rdr2
Ducky Mcshweeney's Reviews
19 Best Seafood Restaurants in San Antonio - The Texas Tasty
NHL training camps open with Swayman's status with the Bruins among the many questions
Mytime Maple Grove Hospital
Achieving and Maintaining 10% Body Fat
Emily Browning Fansite
Amc.santa Anita
Watch Chainsaw Man English Sub/Dub online Free on HiAnime.to
Oakley Rae (Social Media Star) – Bio, Net Worth, Career, Age, Height, And More
40X100 Barndominium Floor Plans With Shop
Theater X Orange Heights Florida
Latest Posts
Best recipes for a thick, fluffy pancake from Gordon Ramsay and other chefs
Decoding DraftKings Inc (DKNG): A Strategic SWOT Insight
Article information

Author: Rev. Porsche Oberbrunner

Last Updated:

Views: 6433

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Rev. Porsche Oberbrunner

Birthday: 1994-06-25

Address: Suite 153 582 Lubowitz Walks, Port Alfredoborough, IN 72879-2838

Phone: +128413562823324

Job: IT Strategist

Hobby: Video gaming, Basketball, Web surfing, Book restoration, Jogging, Shooting, Fishing

Introduction: My name is Rev. Porsche Oberbrunner, I am a zany, graceful, talented, witty, determined, shiny, enchanting person who loves writing and wants to share my knowledge and understanding with you.