CVE-2024-3094 is a critical backdoor vulnerability found in the XZ Utils open-source library. The vulnerability was caused by a malicious code injected into the library by one of the maintainers. The vulnerability allows remote attackers to execute any desired code on systems with exposed SSH packages.
Action Points
- The vulnerability was found in XZ Utils open-source library v.5.6.0. And v.5.6.1., a data-compressing component in most Linux distributions.
- XZ Utils backdoor vulnerability gives attackers with specific keys the remote code execution capacity on affected Linux systems.
- It was assigned CVE-2024-3094 with a CVSS rating of 10 due to the severity of the impact.
- Deploy networking security monitoring and testing tools to identify the vulnerability and downgrade to the uncompromised XZ Utils version such as 5.4.6.
What Is XZ Utils?
XZ Utils previously known as LZMA Utils is an open-source library project included in many Linux distributions. The library allows the compression and decompression of data in xz and lzma formats.
The lossless data compression software is available for Unix-like operating systems, Linux distributions, and from version 5 onwards, the software is also available for Microsoft Windows. XZ Utils consists of two major components: a command-line compressor, xz, and a software library, liblzma.
About XZ Utils Backdoor or CVE-2024-3094
The backdoor vulnerability, CVE-2024-3094, or XZ Utils backdoor was discovered on March 29th March 2024 by Microsoft software developer Andres Freund. The indirect multiple-phased vulnerability was maliciously introduced in the Linux utility xz within the liblzma library versions 5.6.0 and 5.6.1 released in February 2024.
The backdoor is accessible only when specific criteria are met such as having XZ Utils version 5.6.0. Or 5.6.1. And having a publicly accessible SSHd. The vulnerability gives attackers who own a specific ed448 private key the ability to execute code remotely.
How Was the XZ Utils Backdoor Created?
In 2022, a developer under the name Jia Tan joined the XZ Utils project, and after building credibility within the project, started to receive permissions and release manager rights. To gain these permissions it was seen that multiple fake accounts were created to send feature requests that required another maintainer onboard. Some suspected accounts include Jigar Kumar and krygorin4545.
Once Jia Tan was added as a co-maintainer to the project, a few changes were introduced including the sophisticated XZ Utils backdoor vulnerability in the 2023 version 5.6.0 and an updated version 5.6.1.
Current Status
The vulnerability has been given a CVSS rating of 10, the highest possible severity score. If you’re unaware of the version of XZ Utils you currently have on your systems, run a network security test, threat hunting, or filtering out the vulnerable assets to find out whether you have the compromised XZ Utils versions.
Potential Impact Of Vulnerability?
The compromised 5.6.0 or 5.6.1 version when incorporated into the operating system alters the behavior of the open SSH server by abusing the XZ library. The backdoor if accessed can impact SSHd authentication, allowing unauthorized access to the system remotely.
Steps To Take
Steps to take to mitigate or avoid the XZ Utils backdoor vulnerability are:
- Downgrade to the non-vulnerable version such as XZ Utils version 5.4.6.
- Identify XZ Utils version using system monitoring and network security testing to find the vulnerable components.
Bottomline
XZ Utils is an open-source library that is available with a majority of Linux-based systems. With it being rated as a high-risk vulnerability, you must take the necessary steps to identify the vulnerable version and take the steps for mitigating the impact of the vulnerability. If you have any queries or doubts, talk to our experts at Astra Security.