Critical Vulnerability in XZ Utils for Linux

A critical vulnerability in XZ Utils could lead to RCE

Threat ID:: CC-4473
Threat Severity:: Medium
Published:: 2 April 2024 3:48 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A critical vulnerability in XZ Utils could lead to RCE

Affected platforms

The following platforms are known to be affected:

Versions: 5.6.0 and 5.6.1

XZ Utils

Threat details

Introduction

RedHat has released a security advisory to address a critical vulnerability in XZ Utils for Linux. XZ is a general-purpose data compression format present in nearly every Linux distribution, as well as many community projects and commercial product distributions.

The vulnerability, known as CVE-2024-3094 with a CVSSv3 score of 10.0 could allow an attacker to perform remote code execution (RCE) via Secure Shell (SSH) in the context of the logged on user.

Vulnerability Details

Malicious code was found by security researchers in the source code of XZ Utils, beginning with version 5.6.0. A hidden test file is used during the compilation process to extract malicious code and change the functionality of the liblzma component of XZ Utils. This allows liblzma to intercept and alter data exchanges for any library that relies on it, including libsystemd. Specifically, certain Linux distributions use libsystemd for SSH, and could therefore be vulnerable to RCE.

Proof-of-concept available for CVE-2024-3094

Proof-of-concept code for vulnerability CVE-2024-3094 has been made publicly available, which increases the likelihood of exploitation.

Remediation advice

Organisations should follow advice from the CISA advisory to downgrade XZ Utils to an uncompromised version. Additionally, organisations should follow the relevant vendor advisory if they are running an affected Linux distribution, some of which can be found below.

Remediation steps

Type	Step
Guidance	RedHat Fedora 40, RedHat Fedora 41 and RedHat Fedora Rawhide users should immediately stop usage until XZ Utils can be downgraded. RHEL is not affected. https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Guidance	Users of Debian testing, unstable and experimental distributions with XZ Utils versions 5.5.1alpha-0.1 to 5.6.1-1 should immediately upgrade XZ Utils to version 5.6.1+really5.4.5-1. Debian Stable is not affected. https://lists.debian.org/debian-security-announce/2024/msg00057.html
Guidance	Users of Kali Linux distributions updated between March 26 and March 29 should immediately update Kali Linux to downgrade XZ Utils. https://www.kali.org/blog/about-the-xz-backdoor/
Guidance	openSUSE Tumbleweed and openSUS MicroOS users should immediately update openSUSE Tumbleweed to downgrade XZ Utils. SUSE Linux Enterprise and openSUSE Leap are not affected. https://news.opensuse.org/2024/03/29/xz-backdoor/

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2024-3094

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Last edited: 3 April 2024 9:15 am