A supply chain vulnerability was found in XZ Utils that creates a backdoor into OpenSSH and can lead to remote code execution (RCE). Read this Cybersecurity Threat Advisory to learn about this supply chain vulnerability and how to reduce your risks.
What is the threat?
XZ Utils is a command line tool that can implement the liblzma compression and decompression algorithms. The vulnerability (CVE-2024-3094) was initially stated as an SSH authentication bypass backdoor, however, later it was discovered that it is also a remote code execution (RCE) vulnerability that affects OpenSSH. The threat is only exploitable by the threat actor as it uses a private key held by the actor.
The threat actor contributed to the XZ Utils project for two years to gain container responsibilities. With additional permission, the bad actor was able to include the malicious code in the tarball release’s source code. The vulnerable code was hidden during the build process of dependent projects. During the build process, files were extracted and unencrypted then compiled into liblzma. It was then loaded into SSHD during its startup via Systemd and patched OpenSSH to support system notifications.
Why is it noteworthy?
The execution of this supply chain attack is one of the best to-date. It illustrates how sophisticated attacks has downstream dependencies. A single experienced individual gained the trust of a community, achieved commit permissions and manager rights, to include malicious code in distributions. The threat actor knew how to hide malicious code to easily bypass discovery. This vulnerability could have been more impactful and devastating than SolarWinds supply chain attack.
What is the exposure or risk?
The impacted versions include:
- XZ Utils version 5.6.0
- XZ Utils version 5.6.1
- Fedora version 40
- Fedora version 41
- Debian Unstable / sid only versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1
- Kali Linux systems updated between March 26 and March 29, 2024
- OpenSUSE Tumbleweed and MicroOS rolling releases between March 7 and March 28, 2024
- Arch Linux
- Installation medium 2024.03.01
- Virtual machine images 20240301.218094 and 20240315.221711
- Container images created inclusive of 2024-02-24 to 2024-03-28
What are the recommendations?
Barracuda MSP recommends the following preventative steps to minimize the risks and strengthen the security posture:
- Identify if the system is running an affected version. Use the package manager to check the version such as:
- Apt info xz-utils
- Rpm -i xz-utils
- If the version is 5.6 or 5.6.1 then downgrade or disable OpenSSH
- Some researchers have found a kill switch to the backdoor by adding the key “yolAbejyiejuvnup=Evjtgvsh5okmkAvj” to the system’s environment variables.
- Update/downgrade systems to manufacturer recommendations.
References
Refer to the links below for more information about this threat:
- https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://access.redhat.com/security/cve/CVE-2024-3094
- https://www.rapid7.com/blog/post/2024/04/01/etr-backdoored-xz-utils-cve-2024-3094/?utm_source=marketo&utm_medium=email&utm_content=etr&utm_campaign=global-pla-etr-backdoored-util-customer-eng-cyas
- https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b
- https://nvd.nist.gov/vuln/detail/CVE-2024-3094
If you have any questions regarding this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
