Chapter 1: XZ Backdoor: Key Trends and Outlook
Red Hat Information Risk and Security and Red Hat Product Security learned that the latest
versions of the “xz” tools and libraries contain malicious code that appears to be intended to
allow unauthorized access. The xz compression library, a widely-used tool for compressing files,
found across Linux distributions, community projects, and commercial products, was
compromised by a malicious actor named Jia Tan (JiaT75) who gradually and patiently gained
maintainer status in order to pull off the attack, ultimately introducing a backdoor identified as
CVE-2024–3094.
This was reported by Andres Freund on Openwall, with subject backdoor in upstream xz/liblzma
leading to ssh server compromise. There’s a few odd symptoms around liblzma causing high
CPU, valgrind error after login ssh, and crashes in some configurations. Once the backdoored
liblzma is installed, logins via ssh become a lot slower.
This malicious code is embedded in XZ Utils versions 5.6.0 and 5.6.1. Current investigation
indicates that the packages are affected to this following list:
● Fedora Linux 40/41
● Fedora Rawhide
● Arch Linux
● Debian unstable (Sid) versions 5.5.1alpha-0.1 to 5.6.1-1
● Alpine edge versions 5.6 prior to 5.6.1-r2
● openSUSE Tumbleweed, openSUSE MicroOS between March 7 and March 28
● Kali Linux (xz-utils 5.6.0-0.2) between March 26 and March 28
This vulnerability could allow an attacker to unauthorized access to impacted systems and
perform remote code execution. The malicious injection present in the xz libraries is obfuscated
and only included in full in the download package – the Git distribution lacks the M4 macro that
triggers the build of the malicious code. The second-stage artifacts are present in the Git
repository for the injection during the build time, in case the malicious M4 macro is present.
The resulting malicious build interferes with authentication in sshd via systemd. SSH is a
commonly used protocol for connecting remotely to systems, and sshd is the service that allows
access. Under the right circumstances this interference could potentially enable a malicious
actor to break sshd authentication and gain unauthorized access to the entire system remotely.
Chapter 2: Exploit in XZ Utils: How a Backdoor Leads to SSHD Compromise and Potential Impact
Initial Access
The backdoor has been spotted from the identification of unusual behavior linked to sshd. A
significant increase in CPU usage during sshd‘s login process and errors arising while utilizing
the ‘Valgrind’ tool for memory debugging, were the means of identifications used by Freund.
Execution
During the XZ build process, the Build-to-Host.m4 script is executed, containing the following
line:
gl_[$1]config=’sed “r\n” $gl_am_configmake | eval $gl_path_map | $gl[$1]_prefix -d
2>/dev/null’.
This line injects an obfuscated script that runs at the end of the configure script, responsible for
creating the MakeFiles for xz-utils and liblzma. The identified prerequisites for exploitation
indicate the attacker’s intention to add complexity to the analysis process for researchers. The
concealed code embedded within the configure script implements the backdoor exclusively
based on specific conditions.
Notably, the backdoor installation within the configure script is selective, requiring the targeted
OS to be x86-64 Linux and the XZ build process to be part of a Debian or RPM package build.
Failure to meet this condition will result in the backdoor not being installed.
Persistence
if ! (echo “$build” | grep -Eq “^x86_64” > /dev/null 2>&1) && (echo “$build” | grep -Eq
“linux-gnu$” > /dev/null 2>&1); then
Upon execution of the obfuscated script, it performs various checks, including verifying if the OS
is x86-64 Linux and if the build is part of a Debian or RPM package build. The XZ build process
must be part of a Debian or RPM package build (in which the backdoor won’t be installed when
attempting to manually build the XZ package), which makes it more difficult to reproduce.
if test -f “$srcdir/debian/rules” || test “x$RPM_ARCH” = “xx86_64”; then
The script aims to modify the MakeFile of liblzma to interfere with its symbol resolution during
runtime, redirecting the RSA_public_decrypt@….pl symbol to malicious backdoor code.
Lateral Movement
When sshd (the SSH daemon) performs public key authentication, it calls the
RSA_public_decrypt function. Due to the manipulation in the Makefile, this call redirects to the
attacker’s code. The malicious code attempts to extract and verify a payload embedded within
the public key. After verification, this payload is passed to the system’s system() call, which
executes arbitrary commands, leading to remote code execution (RCE).
Impact
The potential risk here is mainly nodes or public-facing workloads that are running an SSH
server. If using a vulnerable version of “liblzma” at either level, the nodes can be exploited by
anyone who has network access to the SSH port.
Chapter 3: Vulnerability Details
Based on CVE-2024-3094, with a maximum CVSS score of 10.0 and assigned to a critical supply
chain compromise of XZ Utils, CVE-2024-3094 involves malicious code injected into versions
5.6.0 and 5.6.1.
CVSS Score | CVSS String | Published | Modified |
10.0 | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 03/09/2024 | 04/01/2024 |
As PICUS Security released, Threat Library includes the following threats for XZ Utils
CVE-2024-3094 vulnerability exploitation attacks:
Threat ID | Threat Name | Attack Module |
39104 | XZ CVE-2024-3094 Liblzma Vulnerability Download Threat | Network Infiltration |
32837 | XZ CVE-2024-3094 Liblzma Vulnerability Email Threat | E-mail Infiltration (Phishing) |
Chapter 4: Recommendations and Mitigations Strategies
- Advised to downgrade following product to fix package:
- Fedora 40/41, Rawhide revert to 5.4.x
- Debian unstable (Sid) revert to 5.4.5
- Alpine edge revert to 5.4.x, 5.6.0-r2, 5.6.1-r2
- openSUSE Tumbleweed revert to 5.4.x
- openSUSE MicroOS revert to 5.4.x
- RedHat advises its users to stop using Fedora 40 or Fedora Rawhide until they can downgrade their xz version.
- Prioritize updating systems using systemd on publicly accessible SSH ports to mitigate immediate risks.
- Segment your network to limit the potential spread of the backdoor. Isolate sensitive systems and restrict access to critical resources.
- Conduct regular penetration testing to identify and address any vulnerabilities or weaknesses in the network environment, including those related to the XZ Utils backdoor.
- Keeping all software updated can shield against vulnerabilities that ransomware often exploits.
- Regular backups, especially offline ones, can be a lifesaver, ensuring data availability even after an attack.
- Keeping employees informed about the latest ransomware threats and safe online practices can prevent inadvertent breaches.
References:
- https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html
- https://blog.qualys.com/vulnerabilities-threat-research/2024/03/29/xz-utils-sshd-backdoor
- https://securityboulevard.com/2024/03/what-you-need-to-know-about-the-xz-utils-backdoor/
- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
- https://lists.debian.org/debian-security-announce/2024/msg00057.html
- https://www.picussecurity.com/resource/blog/cve-2024-3094-a-backdoor-in-xz-utils-leads-to-remote-code-execution
- https://www.armosec.io/blog/cve-2024-3094-kubernetes/#:~:text=On%20March%2029%2C%202024%2C%20Red,performance%20issues%20in%20SSH%20connections.
- https://vulcan.io/blog/alert-cve-2024-3094