XZ Outbreak CVE-2024-3094

  • CVE SCORE 10 (MAX)

  • Affects XZ Utils Version 5.6.0 & 5.6.1

What is XZ Utils?

XZ Utils is a collection of open-source tools and libraries for the XZ compression format. It provides high compression ratio and has support for multiple compression algorithms, notably LZMA2.

What happened? (Why is it that the exploit can take place even though its an open source project?)

Started by Social Engineering

The project developers were overwhelmed with work and needed help. There were multiple comments made that the developers are not following up and are slow(which added pressure to the developer) The attacker saw it as an opportunity and offered to help, which was approved.

Github Repository

2 compressed test files containing the malicious binary code were committed into the project.

How is the payload being compiled?

The binary files are injected into the build process and when they are de-obfuscated, they will turn into bash scripts. These bash scripts unwraps the multiple layers of hidden data inside one of the large compressed LZMA file and extracts the evil object layer file and makes it part of the build process. This makes the evil object file dependented on by the linker at compile time.

What system does it affect?

  • x86-64 (Debian & RPM-based systems)

  • Distro with glic (for IFUNC)

What does the payload do?

The payload stays dormant unless a specific third-party patch of SSH server is used. Under the right conditions, it enables an attacker to break sshd authentication and gain unauthorised access to the system remotely.

Interview Questions

  • What do you think can be done to ensure the security of open source projects?

  • If you were responsible for responding to an incident like CVE-2024-3094, what immediate steps would you take to mitigate the threat?

  • How important is it for security professionals to understand the software build process and third-party dependencies? Why?

Author

References:

https://en.wikipedia.org/wiki/XZ_Utils_backdoor https://www.youtube.com/watch?v=0pT-dWpmwhA https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

PreviousIndicators of CompromiseNextMicroservices

Last updated