XZ Utils Backdoor
Executive Summary
XZ Utils is a widely used open-source data compression utility found in Linux distributions and other Unix-like operating systems. It plays a critical role in compressing and decompressing data during various operations. Recently, a backdoor was intentionally planted in XZ Utils by unknown actors. This backdoor affects versions 5.6.0 and 5.6.1 of XZ Utils. The malicious code allows unauthorised remote SSH connections and execution of arbitrary code.
If you think you could have been impacted, please contact us and we’ll help you understand the extent of the impact with support from our Digital Forensics and Incident Response (DFIR) and Managed Security Services (MSS) teams.
Background
On 28 March 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10. This vulnerability is a result of a supply chain compromise impacting the versions 5.6.0 and 5.6.1 of XZ Utils. This vulnerability may allow for unauthorised access to affected systems.
It is recommended that XZ Utils is downgraded to an uncompromised version, such as XZ Utils 5.4.6 Stable.
Analysis of the affected code repositories indicates that while work on this backdoor has been underway since 2021, it appears only builds after 24 February 2024 contain the needed malicious code for the backdoor’s operation.
Tarball Download Package
Malicious code injection was discovered in the upstream tarballs of XZ, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code.
Git Distribution Package
The Git Distribution Package lacks the liblzma build process that builds the initial stage of the malicious code; however, it does include the second stage artifacts of the malicious code allowing for the injection during build time. In the event the obfuscated code, used by the liblzma build process are present on the vulnerable system, the artifacts in the Git version allow the backdoor to operate.
领英推荐
Affected Software (Linux Distributions)
Affected Software (Non-Linux Distributions)
Check if you’re affected
Check the installed versions of XZ Utils by running the commands, as appropriate for your systems.
strings `which xz` | egrep "\(XZ Utils\)"
strings `which xz` | grep " (XZ Utils "
xz --version
Mitigation & Workaround Recommendations
References
Software Architect at Alstom
11 个月It seems like there might be some confusion regarding the versions of XZ Utils mentioned in the post and the latest version available on the Maven repository. The post specifically refers to versions 5.6.0 and 5.6.1 being affected by a backdoor, while the latest version on the Maven repository is 1.9. can someone please guide me ? <!-- https://mvnrepository.com/artifact/org.tukaani/xz --> <dependency> ??<groupId>org.tukaani</groupId> ??<artifactId>xz</artifactId> ??<version>1.9</version> </dependency>
IST Security operations manager
11 个月These may help, Anthony Weems developed a POC, which also clearly shows how it would have functioned https://github.com/amlweems/xzbot, Thomas Roccia has a great breakdown on a page see image, an amazing discovery by Microsoft principal software engineer Andres Freund which kicked all this off https://www.openwall.com/lists/oss-security/2024/03/29/4