THREAT LEVEL - HIGH
02-04-2024
Software Supply Chain Compromise in XZ Utils Library
Threat Level Description
IthacaLabs has maintained the Threat Level (High) adding a new observation:
An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments
Description
We have observed that a new software supply chain compromise in XZ Utils open source library, has been identified.
An attacker, by exploiting the compromised software, could break sshd authentication and gain unauthorized access to the affected systems.
This software supply chain compromise, tracked as CVE-2024-3094, is a malicious code (backdoor) implanted in XZ Utils.
XZ Utils (previously LZMA Utils) is a set of free software command-line lossless data compressors, including the programs lzma and xz, for Unix-like operating systems and, from version 5.0 onwards, Microsoft Windows operating systems too.
The sophisticated malicious payload, implemented in the affected versions of XZ Utils, ran in the same process as the OpenSSH server (SSHD) and modified decryption routines in the OpenSSH server in order to allow specific remote attackers (that own a specific private key) to send arbitrary payloads through SSH. These malicious payloads will be executed before the authentication step, effectively leading to the hijacking of the entire victim machine.
CVE(s)
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Affected Products
- XZ Utils versions 5.5.1, 5.6.0 & 5.6.1
Recommendation(s)
You should proceed and implement the directives provided by the vendors in order to mitigate this issue:
FEDORA
Affected Branches: 40, 41, Rawhide (active development)
Affected Packages:
- xz-5.6.0-*
- xz-5.6.1-*
Remediation:
- Fedora 40: Downgrade to version 5.4.x.
- Fedora 41 & Rawhide: Stop using immediately.
DEBIAN
Affected Branches: testing, unstable (sid), experimental
Affected Packages:
- xz-utils 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1
Remediation: Update to latest version (5.6.1+really5.4.5-1)
ALPINE
Affected Branch: Edge (active development)
Affected Packages:
- xz 5.6.1-r0
- xz 5.6.1-r1
Remediation: Update to latest version (5.6.1-r2)
KALI
Affected Branch: N/A
Affected Package:
- xz-utils 5.6.0-0.2 (Kali installations updated between March 26th to March 29th)
Remediation: Update to latest version (5.6.1+really5.4.5-1)
OPENSUSE
Affected Branch: Tumbleweed
Affected Packages:
- xz-5.6.0
- xz-5.6.1
Remediation: Update to latest version (5.6.1.revertto5.4)
ARCH LINUX
Affected Branch: N/A
Affected Package:
- xz 5.6.0-1
Remediation: Update to latest version (5.6.1-2)
You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.
References:
- https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html
- https://pbs.twimg.com/media/GJ-6mD9aIAARaiY?format=jpg&name=4096×4096
- https://ubuntu.com/security/CVE-2024-3094
- https://nvd.nist.gov/vuln/detail/CVE-2024-3094