Activity Feed

xz backdoor leads to authentication bypass on OpenSSH. So this remote account takeover on vulnerable systems.

Many linux distributions were not impacted because of various reasons:

• they were packing older version of xz where the backdoor was not introduced yet (e.g. Debian stable)
  
• they were building from source
  
• they didn’t patched OpenSSH to use liblzma (e.g. ArchLinux: news, advisory)
  
• they don’t even use xz (e.g. Amazon Linux)
  

Unaffected distribution examples:

Affected distribution examples (which are mostly unstable version of major distros + Kali):

A Nessus plugin is available for detection (n° 192708):

• https://www.tenable.com/plugins/nessus/192708
  
• more plugins for xz backdoor: https://www.tenable.com/cve/CVE-2024-3094/plugins
  

@fr0gger_ published an outbreak visual of the whole backdoor chain:

Timeline summary:

Analysis:

• smx – xz backdoor analysis and symbol mapping
  
• gynvael – xz/liblzma: Bash-stage Obfuscation Explained
  
• FAQ
  
• boehs – timeline
  
• openwall
  
• Wiz -Backdoor in XZ Utils allows RCE: everything you need to know
  
• binarly – XZ Utils Supply Chain Puzzle: Binarly Ships Free Scanner for CVE-2024-3094 Backdoor
  
• Microsoft – FAQ and guidance for XZ Utils backdoor
  

Potential nuclei templates (PR not merged yet):

• https://github.com/projectdiscovery/nuclei-templates/pull/9458/files
  
• https://github.com/projectdiscovery/nuclei-templates/pull/9464/files
  

YARA rules:

• BCKDR_XZUtil_Binary_CVE_2024_3094_Mar24_1
  
• BCKDR_XZUtil_KillSwitch_CVE_2024_3094_Mar24_1
  
• BCKDR_XZUtil_Script_CVE_2024_3094_Mar24_1
  
• Neo23x0 – bkdr_xz_util_cve_2024_3094.yar

The backdoor is present in versions 5.6.0 and 5.6.1.

This one has gained significant attention over the past few days. To date, there is has been observation that this backdoor was ever leveraged, and it will be unlikely to do so now, given the attention that it has received.

From a Technical perspective, this one was difficult to detect and prevent since the payload was loaded and executed in memory (as part of the SSHD process). The backdoor allowed remote code to be executed via the SSH process, making it even harder to detect.

This backdoor was only discovered by chance, by a Microsoft developer at Microsoft, Andres Freund. Andres was investigating a performance issue in SSH (which was caused by the backdoor), and then stumbled upon the backdoor. Details of which can be found on their post: https://www.openwall.com/lists/oss-security/2024/03/29/4. Also worth noting that the backdoor was not introduced into the code of xz, but rather the binaries. This means if you built the binaries from source, you did not include the backdoor.

Rapid7 observed pre-patch exploitation of this vulnerability from March through at least August of 2023. Several of the incidents our MDR team investigated ended in ransomware deployment. In September 2023, Cisco assigned CVE-2023-20269, which covers some of the attacker behavior Rapid7 incident responders observed: https://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/

To be published soon.

CVE-2024-20767 highlights a vulnerability in a ColdFusion application, specifically within a server management component (/CFIDE/adminapi/_servermanager/servermanager.cfc). This component, intended for managing server operations, can be manipulated to execute unauthorized actions due to improper security checks on user access levels.

The vulnerability arises because the application fails to adequately verify the permissions of certain classes, allowing a class with a specific access level (identified as “3”) to bypass security measures. Attackers can exploit this oversight by dissecting the application’s files to target the getHeartBeat class, which is not properly secured. Once access is gained, attackers can call internal methods that should be restricted, leading to unauthorized actions such as reading sensitive files or downloading data dumps from the server.

This issue is particularly concerning because it allows attackers to use a unique identifier (UUID) generated by the application to fake authorization, gaining access to a servlet (PMSGenericServlet) meant for privileged operations. The exploitation of this servlet could lead to further unauthorized activities, such as reading or altering files on the server, by manipulating parameters like the username and filename in requests.

From an example at http://jeva.cc/2973.html, a POC would look like:
Get /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=10000

Ivanti Standalone Sentry serves as a conduit, connecting devices with an organization’s ActiveSync-compatible email systems (like Microsoft Exchange Server) or other backend resources (such as Microsoft SharePoint server). It’s also capable of functioning as a Kerberos Key Distribution Center Proxy (KKDCP) server.

While specifics on the vulnerability remain undisclosed, Ivanti has stated that an unauthenticated attacker, if present on the same physical or logical network, could leverage CVE-2023-41724 to carry out unauthorized command execution on the operating system of the appliance.

The firm also highlighted that this security issue cannot be exploited over the internet by threat actors lacking a valid TLS client certificate obtained through EPMM.

This security flaw impacts all supported versions of Ivanti Standalone Sentry (versions 9.17.0, 9.18.0, and 9.19.0), in addition to older, no longer supported versions (below 9.17.0). Users of these older versions are encouraged to update to a supported release and apply the corresponding patch (versions 9.17.1, 9.18.1, or 9.19.1).