CVE-2024–3094 Vulnerability : Embedded Malicious Code in XZ Utils Versions 5.6.0 and 5.6.1 — A Three-Year Supply Chain Attack or just a social engineering manipulation.
A critical vulnerability, identified as CVE-2024–3094, has been discovered in versions 5.6.0 and 5.6.1 of XZ Utils, widely used data compression software in many Linux distributions. This vulnerability, exploited over a three-year period, marks one of the largest supply chain attacks ever recorded or just a social engineering manipulation.
What is XZ and liblzma ?
XZ is the primary tool for compressing and decompressing files using the LZMA algorithm. Additionally, liblzma is an underlying library integrated into many software applications to provide LZMA compression functionalities. These tools are extensively employed in major Linux distributions such as Red Hat and Debian.
The revelation of this vulnerability raises questions about the security of liblzma, a critical library utilized by numerous applications. Why did it take security researchers three years to uncover the XZ Outbreak (CVE-2024–3094) attack ? Is it a deliberate social engineering manipulation or the work of a malicious entity operating behind the scenes ?
Details of xz Backdoor CVE-2024–3094 :
On March 28, 2024, Red Hat Linux announced CVE-2024–3094 vulnerability with a critical CVSS score of 10. This security flaw stems from a supply chain compromise affecting the latest versions of XZ tools and libraries. Versions 5.6.0 and 5.6.1 of the libraries contain malicious code that alters functions during the liblzma build process.
This malicious code compromises the liblzma library, potentially modifying or intercepting data from other applications leveraging the library. Under certain conditions, this code may facilitate unauthorized access by SSH to affected systems.
Security researcher Andres Freund discovered the malicious code when observing failed SSH logins resulting in high CPU utilization. Investigating the cause of the elevated CPU usage, he also noted slower logins, leading to further exploration and vulnerability discovery.
Recommendations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends downgrading XZ Utils to an uncompromised version, such as XZ Utils 5.4.6 Stable, and conducting a hunt for any malicious activity. Additionally, cybersecurity solution vendors propose detection rules for malicious activities.
This vulnerability has been reported to the National Vulnerability Database (NVD) by Red Hat with a critical score of 10.0 according to CVSS v3 Score Breakdown but has yet to be analyzed by Information Technology Laboratory of NVD.
YARA Rule for Detecting CVE-2024–3094
This YARA rule will scan binary files for the specified signature within the liblzma library. If the signature is found, it indicates a potential compromise related to the CVE-2024–3094 vulnerability, especially when used by the sshd service.
rule ssh_liblzma_detection_rule
{
meta:
description = "Detects potential compromise via injected code in the liblzma library when utilized by sshd, related to CVE-2024-3094"
author = "larbi67"
reference = "CVE-2024-3094"
/* function signature provided by Vegard Nossum - detect.sh */
strings:
$signature = { F3 0F 1E FA 55 48 89 F5 4C 89 CE 53 89 FB 81 E7 00 00 00 80 48 83 EC 28 48 89 54 24 18 48 89 4C 24 10 }
condition:
$signature
}
