Attacker Value
Very High
(3 users assessed)
Exploitability
Very Low
(3 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
5

CVE-2024-3094

Disclosure Date: March 29, 2024
CVE-2024-3094 CVSS v3 Base Score: 10.0
Exploited in the Wild
Reported by noraj
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Add Assessment

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Gives privileged access
Technical Analysis

The backdoor is present in versions 5.6.0 and 5.6.1.

This one has gained significant attention over the past few days. To date, there is has been observation that this backdoor was ever leveraged, and it will be unlikely to do so now, given the attention that it has received.

From a Technical perspective, this one was difficult to detect and prevent since the payload was loaded and executed in memory (as part of the SSHD process). The backdoor allowed remote code to be executed via the SSH process, making it even harder to detect.

This backdoor was only discovered by chance, by a Microsoft developer at Microsoft, Andres Freund. Andres was investigating a performance issue in SSH (which was caused by the backdoor), and then stumbled upon the backdoor. Details of which can be found on their post: https://www.openwall.com/lists/oss-security/2024/03/29/4. Also worth noting that the backdoor was not introduced into the code of xz, but rather the binaries. This means if you built the binaries from source, you did not include the backdoor.

Log in to Add Reply
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Common in enterpriseGives privileged accessUnauthenticatedVulnerable in default configurationDifficult to weaponizeVulnerable in uncommon configuration
Technical Analysis

xz backdoor leads to authentication bypass on OpenSSH. So this remote account takeover on vulnerable systems.

Many linux distributions were not impacted because of various reasons:

  • they were packing older version of xz where the backdoor was not introduced yet (e.g. Debian stable)
  • they were building from source
  • they didn’t patched OpenSSH to use liblzma (e.g. ArchLinux: news, advisory)
  • they don’t even use xz (e.g. Amazon Linux)

Unaffected distribution examples:

Affected distribution examples (which are mostly unstable version of major distros + Kali):

A Nessus plugin is available for detection (n° 192708):

@fr0gger_ published an outbreak visual of the whole backdoor chain:

Timeline summary:

Analysis:

Potential nuclei templates (PR not merged yet):

YARA rules:

Log in to Add Reply
1
Ratings
Common in enterpriseDifficult to weaponizeVulnerable in uncommon configuration
Technical Analysis

On the one hand, it’s backdoored software, so “exploitation” could arguably have already occurred (in the form of an already executed supply chain attack). On the other hand, it’s not immediately clear that anyone has used this backdoor to do specific Bad Things™, so “exploited in the wild” doesn’t sound quite right either. Developers probably most at risk here rather than production systems, but it would appear this got caught pretty quickly.

Bad:

  • Backdoor!
  • In a popular command-line tool
  • Made it into unstable branches/bleeding-edge releases of some distros (Kali, Arch, etc)
  • “Open source is unsafe” commentary (c’mon, y’all)
  • Salacious! Speculation runs rife! xz is drowning out Kate Middleton conspiracy theories in my timelines!

Good:

  • Didn’t make it into prod systems, stable branches unaffected
  • Not a simple attack
  • Not clear that anyone is actively using this backdoor for badness — private SSH key still hasn’t shown up
Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
10.0 Critical
Impact Score:
6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Red Hat Enterprise Linux 6 not down converted
Red Hat Enterprise Linux 7 not down converted
Red Hat Enterprise Linux 8 not down converted
Red Hat Enterprise Linux 9 not down converted
Red Hat JBoss Enterprise Application Platform 8 not down converted
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • tukaani

Products

  • xz 5.6.0,
  • xz 5.6.1

Exploited in the Wild

Reported by:

References

Canonical
CVE-2024-3094 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094)
Exploit
PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
CVE-2024-3094-Vulnerability-Checker-Fixer (https://github.com/alokemajumder/CVE-2024-3094-Vulnerability-Checker-Fixer) (Added by AKB Worker)
CVE-2024-3094-Vulnerabity-Checker (https://github.com/lypd0/CVE-2024-3094-Vulnerabity-Checker) (Added by AKB Worker)
xzwhy (https://github.com/neuralinhibitor/xzwhy) (Added by AKB Worker)
ifuncd-up (https://github.com/robertdfrench/ifuncd-up) (Added by AKB Worker)
Miscellaneous
https://access.redhat.com/security/cve/CVE-2024-3094
https://bugzilla.redhat.com/show_bug.cgi?id=2272210
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://news.ycombinator.com/item?id=39865810
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils
https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
https://bugzilla.suse.com/show_bug.cgi?id=1222124
https://security.archlinux.org/CVE-2024-3094
https://security.alpinelinux.org/vuln/CVE-2024-3094
https://security-tracker.debian.org/tracker/CVE-2024-3094
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
https://news.ycombinator.com/item?id=39877267
https://gynvael.coldwind.pl/?lang=en&id=782
https://ubuntu.com/security/CVE-2024-3094
https://github.com/advisories/GHSA-rxwq-x6h5-x525
https://bugs.gentoo.org/928134
https://lists.debian.org/debian-security-announce/2024/msg00057.html
https://twitter.com/debian/status/1774219194638409898
https://twitter.com/infosecb/status/1774597228864139400
https://twitter.com/infosecb/status/1774595540233167206
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
https://github.com/karcherm/xz-malware
https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405
https://xeiaso.net/notes/2024/xz-vuln/
https://lwn.net/Articles/967180/
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://tukaani.org/xz-backdoor/
https://twitter.com/LetsDefendIO/status/1774804387417751958
https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
https://news.ycombinator.com/item?id=39895344
https://github.com/amlweems/xzbot
https://security.netapp.com/advisory/ntap-20240402-0001/
https://www.kali.org/blog/about-the-xz-backdoor/
https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
https://research.swtch.com/xz-timeline
https://research.swtch.com/xz-script
https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
http://www.openwall.com/lists/oss-security/2024/03/30/12
http://www.openwall.com/lists/oss-security/2024/03/30/27
http://www.openwall.com/lists/oss-security/2024/03/29/10
http://www.openwall.com/lists/oss-security/2024/03/29/8
http://www.openwall.com/lists/oss-security/2024/03/30/5
http://www.openwall.com/lists/oss-security/2024/03/29/4
http://www.openwall.com/lists/oss-security/2024/03/29/12
http://www.openwall.com/lists/oss-security/2024/03/30/36
http://www.openwall.com/lists/oss-security/2024/04/16/5
http://www.openwall.com/lists/oss-security/2024/03/29/5

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis