Security Alert: CVE-2024-3094 Critical Threat in Linux Systems

A significant threat has recently been uncovered within widely utilised Linux distributions, posing a grave risk to system integrity and security. This threat comes in the form of a malicious backdoor nestled within the compression tool xz Utils. In this blog post, we’re uncovering the details of this discovery and giving you the steps to protect your systems against potential exploitation. This post was created with the help of our Principal Security Consultants - Debasis Mohanty and Miguel Marco to give you the best insights and recommendations to safeguard your systems against this bug.

The vulnerability, now tracked as CVE-2024-3094, represents a supply chain compromise discovered within the latest versions of xz Utils. Xz Utils is a set of data compression tools and libraries extensively utilised across major Linux distributions. Assigned a critical CVSS score of 10, this backdoor discovery has significant implications for the security of Linux systems. This vulnerability was discovered by Andres Freund who reported it to linux-distros and then oss-security.

This vulnerability poses a critical threat to system integrity and security, as it enables unauthorised access and potential remote code execution. The backdoor specifically targets the SSH authentication process, opening doors for unauthorised access to compromised systems.

Initially, there were claims by some researchers that this backdoor permitted attackers to bypass authentication within sshd (the OpenSSH server process), granting them unauthorised remote access to the operating system. However, recent information suggests that this vulnerability should be reclassified as RCE rather than just an authentication bypass.

In simpler terms, malicious code injected into xz Utils versions 5.6.0 and 5.6.1 alters the software's behavior. This backdoor specifically targets sshd, the component responsible for managing remote SSH connections. By utilizing a specific encryption key, individuals could implant any code into an SSH login certificate, upload it, and execute it on the compromised device.

The backdoor intercepts the RSA_public_decrypt function, validating the host's signature using the fixed key Ed448. Upon successful validation, it proceeds to execute the malicious code supplied by the host through the system() function, all while leaving no traces in the sshd logs.

Given the severity of this vulnerability, immediate action is imperative to mitigate potential risks. Users are strongly advised to verify the integrity of their systems, update affected versions of xz Utils, and implement stringent security measures to prevent exploitation by malicious entities.

Versions 5.6.0 and 5.6.1 of xz Utils are confirmed to contain the malicious backdoor. While not impacting production releases, beta versions like Fedora Rawhide, Debian testing, unstable, and experimental distributions are vulnerable to exploitation.

In response to this security threat, users are strongly advised to take immediate action to mitigate risks associated with the compromised xz versions. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory recommending the following steps:

• Downgrade to Uncompromised Versions: Users currently using xz versions 5.6.0 or 5.6.1 are urged to downgrade to older, uncompromised versions of xz that do not contain the malicious code. Version 5.4.6 Stable is recommended as a safe alternative.
• Monitor for Suspicious Activity: Administrators and users should diligently monitor their systems for any signs of malicious or suspicious activity. This includes unusual behavior in SSH connections, unexpected system slowdowns, or unauthorized access attempts.
• Check xz Version: Linux administrators can verify the version of xz installed on their systems using the provided shell script or by querying with their package manager. If the installed version matches 5.6.0 or 5.6.1, immediate action should be taken to downgrade to a secure version.
• 
  

Download the full advisory from CISA here.

Given the nature of the RCE bug and the possibility that an attacker may persist even after exploiting the issue and gaining access to the affected system, our team has compiled some additional recommendations.

• Change all credentials that could have been compromised by the attackers gaining access to the system.
• Verify the system’s integrity by examining network logs and thoroughly reviewing all monitoring tools for any signs of suspicious activity originating from the affected systems. This includes investigating for any evidence of lateral movement or further compromises within the network.
• Scrutinise firewall logs for any outbound traffic that may indicate suspicious activity or unauthorised data transfers to unintended destinations.
• Engage a specialised security company to review network logs and existing monitoring tool logs. This will help validate the integrity of the network and connected systems.
  

xz is a compression utility used in Linux systems for lossless compression of data, similar to creating .zip files. It is crucial for reducing file sizes while ensuring that the uncompressed data remains identical to the original. Many security software and utilities rely on xz, making its integrity paramount in the Linux ecosystem.

It appears to have occurred through a common scenario known as a handover of ownership. The individual who originally managed the xz Libs project on GitHub transferred ownership of the repository to an account that has been actively contributing to various data compression-related repositories for several years. At some stage, the individual associated with that account introduced a backdoor into the project’s code.

SSH (Secure Shell) is a widely used protocol for secure communication between machines, commonly employed in the Linux world. Any library has the potential to manipulate the internal operations of any executable to which it is linked and multiple Linux distributions incorporate a patch that connects sshd to systemd, a utility responsible for loading various services upon system startup. Subsequently, systemd establishes a link to liblzma, thereby enabling xz Utils to maintain control over sshd.

Users can employ detection scripts provided by security researchers or consult with Linux distributors to determine if their system is vulnerable to the compromised versions of xz. Additionally, monitoring for unusual behavior in SSH connections or network traffic may indicate potential exploitation.

In addition to third party scripts, users can verify their xz version using this command in the linux terminal: 

xz --version

And check if they have one of the vulnerable version 5.6.0 or 5.6.1

Also the researcher that found this backdoor recommends to use this bash script to detect the signature: Detect.sh in https://www.openwall.com/lists/oss-security/2024/03/29/4/3

Reference: https://www.openwall.com/lists/oss-security/2024/03/29/4

Note: It's important to be cautious when utilizing unknown detection scripts. Without a clear understanding of the execution code within the script, there's a risk of inadvertently running malicious code. Always be careful with the scripts you're using to avoid potential security risks.

Explore the entire Evolve suite of products here, designed to give your enterprise complete protection from evolving threats.