Table of Content

A recent discovery has unveiled a significant threat within the Linux community: CVE-2024-3094, a covert malware implant embedded within the widely-used liblzma compression library. This threat poses a serious risk to systems relying on LZMA compression, particularly those employing the xz file format and related compression tools. 

What is the XZ Vulnerability?

The XZ vulnerability, CVE-2024-3094, manifests as a malicious code injection flaw found in XZ Utils versions 5.6.0 and 5.6.1. Specifically, attackers exploited the build process of the liblzma library, inserting obfuscated code into disguised test files fetched from the source code. This injection, concealed within the LZMA algorithm, was strategically positioned to compromise systems relying on XZ compression.

The Supply Chain Compromise

The attackers' strategy targeted the Debian supply chain, aiming to compromise a popular library utilized in Debian-style builds of OpenSSH. Debian's version of OpenSSH relies on a modified implementation to support notifications using systemd, resulting in dependencies on libraries such as libsystemd, which in turn depends on liblzma. By compromising liblzma, the attackers gained leverage over any software utilizing it, with a primary focus on OpenSSH servers.

Understanding Public Keys and Cryptographic Signatures

The malware implant, embedded within liblzma, specifically targets RSA-based authentication attempts. RSA, a widely-used asymmetric cryptographic algorithm, involves a public-private key pair. Attackers craft fake RSA public keys containing scrambled system commands, strategically embedded within authentication requests. These rogue keys, seemingly legitimate, carry disguised data and are intercepted by the malware for execution.

Remote Code Execution

The attackers' interest lies in intercepting the RSA_public_decrypt() function to supply system commands hidden within fake cryptographic signatures. Upon intercepting an RSA-based authentication attempt, the malware extracts the RSA public key and retrieves the cryptographic certificate. The value of 'N' in the rogue public keys contains scrambled system commands, which are then executed using the system() function. This technique grants the attackers unauthenticated root-level remote code execution, enabling them to infiltrate systems with devastating consequences.

Mitigating the Vulnerability

To mitigate the XZ vulnerability, immediate action is imperative. Downgrading to the previous version of XZ Utils (5.4.6 or below) is critical, as it includes patches addressing the vulnerability, at the moment. 

Affected Systems

1. Systems running XZ Utils versions 5.6.0 or 5.6.1:

   • Fedora 40

   • Fedora Rawhide

   • Debian testing, unstable, and experimental distributions

   • openSUSE Tumbleweed (before snapshot 20240328)

   • Alpine Linux versions 5.6.0, 5.6.0-r0, 5.6.0-r1, 5.6.1, 5.6.1-r0, 5.6.1-r1

2. Kali Linux systems that were updated between March 26-30, 2024.

Key Vulnerability System Conditions

1. The system must be running XZ Utils versions 5.6.0 or 5.6.1.

   • These specific versions contain the malicious backdoor code that was injected into the XZ Utils package.

   • Versions prior to 5.6.0 and after 5.6.1 are not affected by this vulnerability.

2. The vulnerable XZ Utils versions must be integrated into the Linux distribution.

   • Current research indicates that the backdoored versions have been found in pre-release versions of some Linux distributions, such as:

     • Fedora 40 and Fedora Rawhide

     • Debian testing, unstable, and experimental distributions

   • If a Linux distribution has not yet incorporated the vulnerable XZ Utils versions, the system would not be affected.

3. The system must be using the glibc (GNU C Library) implementation.

   • Current research suggests that the vulnerability specifically targets the RSA function used in the sshd (SSH daemon) component, which is dependent on the glibc library.

   • Systems using alternative C library implementations, such as musl, are likely not affected by this vulnerability.

4. The system must have public-facing SSH servers enabled with RSA Authentication.

   • The malicious code in the vulnerable XZ Utils versions targets the authentication process in the sshd service, allowing an attacker to gain unauthorized remote access.

   • Systems without public-facing SSH servers would be less susceptible to this attack vector.

   • The issue appears to be limited to RSA-based authentication.  

Is my organization affected?

Do not check the version xz by running xz such as "xz -version or xz -V".  

Thankfully, I created a script , which you can find here, to help you check on the version you are running and downgrade xz if needed.