listen.dev
Roadmap
Feature Requests
Changelog
Back to changelog
Powered by Canny

new

CVE-2024-3094: Updates on the XZ Utils Critical Supply Chain Exploit

🚨
Critical Backdoor Discovered in Upstream xz/liblzma Repository and Release Tarballs (versions 5.6.0 and 5.6.1)
🚨
The backdoor injects malicious code into the liblzma library during the build process, targeting x86-64 Linux systems.
🔒
Impact:
The backdoor can affect applications that use liblzma, including OpenSSH, which may experience slower logins or other issues. The backdoor can modify the RSA\_public\_decrypt function in OpenSSH, potentially allowing unauthorized access or remote code execution.
🕵️
Discovery:
The backdoor was discovered by a security researcher who noticed odd symptoms around liblzma on Debian sid installations. The researcher observed that logins via ssh became a lot slower and valgrind errors were present. After further investigation, the researcher discovered that the upstream xz repository and the xz tarballs had been backdoored.
💻
Technical Analysis:
The backdoor is present in the distributed tarballs and not in the upstream source of build-to-host, nor is build-to-host used by xz in git. However, it is present in the tarballs released upstream, except for the "source code" links, which are generated directly from the repository contents.
The backdoor is designed to work on glibc based systems and targets only x86-64 Linux. The backdoor checks for specific conditions, such as the build environment and the presence of certain files. The backdoor can modify the RSA\_public\_decrypt function in OpenSSH, potentially allowing unauthorized access or remote code execution.
🛠️
Mitigation:
A script is available to detect if the ssh binary on a system is vulnerable. Users are advised to upgrade their systems as soon as possible. Red Hat has assigned CVE-2024-3094 to this issue.
🔒
Conclusion:
The discovery of this backdoor in the upstream xz/liblzma repository and release tarballs is a significant concern for the security community. The backdoor has the potential to affect a wide range of applications that use liblzma, including OpenSSH. It is crucial that users upgrade their systems as soon as possible to mitigate the risk of unauthorized access or remote code execution.
#infosec #cybersecurity #vulnerability #backdoor #xz #liblzma #openssh