CVE-2024-3094 - backdoor found in xz utils 5.6.0 and 5.6.1

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
i3slkiller
Contributor
Contributor
Posts: 90
Joined: 03 Feb 2020, 18:51
Distribution: Porteus XFCE v5.0rc2 x86_64
Location: Poland

CVE-2024-3094 - backdoor found in xz utils 5.6.0 and 5.6.1

Post#1 by i3slkiller » 30 Mar 2024, 09:46

https://thehackernews.com/2024/03/urgen ... in-xz.html
RedHat on Friday released an "urgent security alert" warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.

The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).

"Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code," the IBM subsidiary said in an advisory.

"This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."

Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely "under the right circumstances."

[...]

Evidence shows that the packages are only present in Fedora 41 and Fedora Rawhide, and do not impact Red Hat Enterprise Linux (RHEL), Debian Stable, Amazon Linux, and SUSE Linux Enterprise and Leap.

Out of an abundance of caution, Fedora Linux 40 users have been recommended to downgrade to a 5.4 build. Some of the other Linux distributions impacted by the supply chain attack are below -

Kali Linux (between March 26 and 29)
openSUSE Tumbleweed and openSUSE MicroOS (between March 7 and 28)
Debian testing, unstable, and experimental versions (from 5.5.1alpha-0.1 to 5.6.1-1)
Slackware current also seems to be affected (although it don't use systemd, but it doesn't diminish the seriousness of the matter).
Image

EDIT: I found something like this https://www.openwall.com/lists/oss-secu ... 24/03/29/4
== Affected Systems ==

The attached de-obfuscated script is invoked first after configure, where it
decides whether to modify the build process to inject the code.

These conditions include targeting only x86-64 linux:
if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1);then

Building with gcc and the gnu linker
if test "x$GCC" != 'xyes' > /dev/null 2>&1;then
exit 0
fi
if test "x$CC" != 'xgcc' > /dev/null 2>&1;then
exit 0
fi
LDv=$LD" -v"
if ! $LDv 2>&1 | grep -qs 'GNU ld' > /dev/null 2>&1;then
exit 0

Running as part of a debian or RPM package build:
if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then

Particularly the latter is likely aimed at making it harder to reproduce the
issue for investigators.


Due to the working of the injected code (see below), it is likely the backdoor
can only work on glibc based systems.
EDIT: I only now noticed this in changelog :wall:
a/xz-5.6.1-x86_64-2.txz: Rebuilt.
Seems like a good idea to build this from a git pull rather than the signed
release tarballs. :-)
The liblzma in the previous packages were not found to be vulnerable by the
detection script, but I'd rather not carry the bad m4 files in our sources.
Here's a test script for anyone wanting to try it:
if hexdump -ve '1/1 "%.2x"' /lib*/liblzma.so.5 | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410 ; then
echo probably vulnerable
else
echo probably not vulnerable
fi

User avatar
Blaze
DEV Team
DEV Team
Posts: 3901
Joined: 28 Dec 2010, 11:31
Distribution: ⟰ Porteus current ☯ all DEs ☯
Location: ☭ Russian Federation, Lipetsk region, Dankov
Contact:

CVE-2024-3094 - backdoor found in xz utils 5.6.0 and 5.6.1

Post#2 by Blaze » 30 Mar 2024, 14:50

In Porteus 5.01

Code: Select all

# ls /var/lib/pkgtools/packages/*xz*
/var/lib/pkgtools/packages/xz-5.2.5-x86_64-4_slack15.0

# if hexdump -ve '1/1 "%.2x"' /lib*/liblzma.so.5 | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410 ; then
echo probably vulnerable
else
echo probably not vulnerable
fi 
probably not vulnerable
Linux 6.6.11-porteus #1 SMP PREEMPT_DYNAMIC Sun Jan 14 12:07:37 MSK 2024 x86_64 Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz GenuineIntel GNU/Linux
MS-7A12 » [AMD/ATI] Navi 23 [Radeon RX 6600] [1002:73ff] (rev c7) » Vengeance LPX 16GB DDR4 K2 3200MHz C16

User avatar
Ed_P
Contributor
Contributor
Posts: 8547
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

CVE-2024-3094 - backdoor found in xz utils 5.6.0 and 5.6.1

Post#3 by Ed_P » 30 Mar 2024, 15:41

Good to know. :good:

Code: Select all

guest@porteus:~$ ls /var/lib/pkgtools/packages/*xz*
/var/lib/pkgtools/packages/xz-5.2.5-x86_64-4_slack15.0
guest@porteus:~$ if hexdump -ve '1/1 "%.2x"' /lib*/liblzma.so.5 | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410 ; then
echo probably vulnerable
else
echo probably not vulnerable
fi 
probably not vulnerable
guest@porteus:~$ ls /lib*/liblzma.so.5
/lib64/liblzma.so.5@
guest@porteus:~$ 

Post Reply