XZ Utils backdoor
| CVE identifier(s) | CVE-2024-3094 |
|---|---|
| Date discovered | March 29, 2024 |
| Discoverer | Andres Freund |
| Affected software | xz / liblzma library |
CVE-2024-3094 is a software backdoor and a supply chain attack maliciously introduced in the Linux utility xz within the liblzma library in the version 5.6.0 in February 2024. xz is commonly deployed as part of most Linux distributions. The use of the backdoor is expected to give the attacker remote code execution on the affected Linux systems.
It has been assigned a CVE severity score of 10/10.[1]
Background
On 29th of March 2024, PostgreSQL developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid.[2] Freund noticed that SSH connections were generating unexpectedly high amount of CPU usage as well as causing errors in valgrind, a memory debugging tool.[3] Freund reported his finding to Openwall Project's open source security mailing list, which brought it to attention of various software vendors.[3] There is evidence that the attacker made efforts to obfuscate the code[4][5] as the backdoor consists of multiple stages that act together.[6] Once the comrpomised version is incorporated into the operatign system, it alters the behaviour of OpenSSH's SSH server daemon, allowing the attacker to gain same level of access as any authorised administrator.[6][3] According to the analysis by Red Hat, the backdoor can "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".[7]
A subsequent investigation found that the backdoor was a culmination of approximately 3 years of effort by a user going by the name JiaT75 who appears to have made a concentrated effort to gain access to a position of trust within the xz project, by putting pressure on the head maintainer to step down and hand over the control of the project.[3]
Response
US federal agency responsible for cyber infrastructure, Cybersecurity and Infrastructure Security Agency, has issued a security advisory, recommending that the affected devices should roll back to a previous uncompromised version.[8] Linux software vendors, including Red Hat,[7] SUSE,[9] and Debian,[10] have mirrored the CISA advisory, and reverted the updates for the affected packages to the known-safe version.
References
- ^ Gatlan, Sergiu. "Red Hat warns of backdoor in XZ tools used by most Linux distros". BleepingComputer. Retrieved 29 March 2024.
- ^ Zorz, Zeljka (29 March 2024). "Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094)". Help Net Security. Retrieved 29 March 2024.
- ^ a b c d Goodin, Dan (1 April 2024). "What we know about the xz Utils backdoor that almost infected the world". Ars Technica. Retrieved 1 April 2024.
- ^ Larabel, Michael. "XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access". www.phoronix.com. Retrieved 29 March 2024.
- ^ O’Donnell-Welch, Lindsey (29 March 2024). "Red Hat, CISA Warn of XZ Utils Backdoor". Decipher. Retrieved 29 March 2024.
- ^ a b Claburn, Thomas. "Malicious backdoor spotted in Linux compression library xz". www.theregister.com. Retrieved 1 April 2024.
- ^ a b "Urgent security alert for Fedora 41 and Fedora Rawhide users". www.redhat.com. Retrieved 29 March 2024.
- ^ "Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 | CISA". www.cisa.gov. 29 March 2024. Retrieved 29 March 2024.
- ^ "SUSE addresses supply chain attack against xz compression library | SUSE Communities". www.suse.com. Retrieved 29 March 2024.
- ^ "[SECURITY] [DSA 5649-1] xz-utils security update". lists.debian.org. Retrieved 29 March 2024.
External links
Andres Freund's report to the Openwall oss-security mailing list
