A significant threat has recently been uncovered within widely utilised Linux distributions, posing a grave risk to system integrity and security. This threat comes in the form of a malicious backdoor nestled within the compression tool xz Utils. In this blog post, we’re uncovering the details of this discovery and giving you the steps to protect your systems against potential exploitation. This post was created with the help of our Principal Security Consultants - Debasis Mohanty and Miguel Marco to give you the best insights and recommendations to safeguard your systems against this bug.
The vulnerability, now tracked as CVE-2024-3094, represents a supply chain compromise discovered within the latest versions of xz Utils. Xz Utils is a set of data compression tools and libraries extensively utilised across major Linux distributions. Assigned a critical CVSS score of 10, this backdoor discovery has significant implications for the security of Linux systems. This vulnerability was discovered by Andres Freund who reported it to linux-distros and then oss-security.
This vulnerability poses a critical threat to system integrity and security, as it enables unauthorised access and potential remote code execution. The backdoor specifically targets the SSH authentication process, opening doors for unauthorised access to compromised systems.
Initially, there were claims by some researchers that this backdoor permitted attackers to bypass authentication within sshd (the OpenSSH server process), granting them unauthorised remote access to the operating system. However, recent information suggests that this vulnerability should be reclassified as RCE rather than just an authentication bypass.
In simpler terms, malicious code injected into xz Utils versions 5.6.0 and 5.6.1 alters the software's behavior. This backdoor specifically targets sshd, the component responsible for managing remote SSH connections. By utilizing a specific encryption key, individuals could implant any code into an SSH login certificate, upload it, and execute it on the compromised device.
The backdoor intercepts the RSA_public_decrypt function, validating the host's signature using the fixed key Ed448. Upon successful validation, it proceeds to execute the malicious code supplied by the host through the system() function, all while leaving no traces in the sshd logs.
Given the severity of this vulnerability, immediate action is imperative to mitigate potential risks. Users are strongly advised to verify the integrity of their systems, update affected versions of xz Utils, and implement stringent security measures to prevent exploitation by malicious entities.
Versions 5.6.0 and 5.6.1 of xz Utils are confirmed to contain the malicious backdoor. While not impacting production releases, beta versions like Fedora Rawhide, Debian testing, unstable, and experimental distributions are vulnerable to exploitation.
In response to this security threat, users are strongly advised to take immediate action to mitigate risks associated with the compromised xz versions. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory recommending the following steps:
Download the full advisory from CISA
here.
Given the nature of the RCE bug and the possibility that an attacker may persist even after exploiting the issue and gaining access to the affected system, our team has compiled some additional recommendations.
xz is a compression utility used in Linux systems for lossless compression of data, similar to creating .zip files. It is crucial for reducing file sizes while ensuring that the uncompressed data remains identical to the original. Many security software and utilities rely on xz, making its integrity paramount in the Linux ecosystem.
It appears to have occurred through a common scenario known as a handover of ownership. The individual who originally managed the xz Libs project on GitHub transferred ownership of the repository to an account that has been actively contributing to various data compression-related repositories for several years. At some stage, the individual associated with that account introduced a backdoor into the project’s code.
SSH (Secure Shell) is a widely used protocol for secure communication between machines, commonly employed in the Linux world. Any library has the potential to manipulate the internal operations of any executable to which it is linked and multiple Linux distributions incorporate a patch that connects sshd to systemd, a utility responsible for loading various services upon system startup. Subsequently, systemd establishes a link to liblzma, thereby enabling xz Utils to maintain control over sshd.
Users can employ detection scripts provided by security researchers or consult with Linux distributors to determine if their system is vulnerable to the compromised versions of xz. Additionally, monitoring for unusual behavior in SSH connections or network traffic may indicate potential exploitation.
In addition to third party scripts, users can verify their xz version using this command in the linux terminal:
xz --version
And check if they have one of the vulnerable version 5.6.0 or 5.6.1
Also the researcher that found this backdoor recommends to use this bash script to detect the signature: Detect.sh in https://www.openwall.com/lists/oss-security/2024/03/29/4/3
Reference: https://www.openwall.com/lists/oss-security/2024/03/29/4
Note: It's important to be cautious when utilizing unknown detection scripts. Without a clear understanding of the execution code within the script, there's a risk of inadvertently running malicious code. Always be careful with the scripts you're using to avoid potential security risks.
Explore the entire Evolve suite of products
here, designed to give your enterprise complete protection from evolving threats.
Related Content