• EN

Severe vulnarabiity in Linux library xz

JMeixner
Userlevel 7
Badge +17

It looks like malicious code has been added to the Linux data compression program xz, which might result in a backdoor. The library's 5.6.0 and 5.6.1 versions should have the code. The xz repository and the xz tarballs have both been "backdoored," according to the discoverer's post on Openwall.

https://www.openwall.com/lists/oss-security/2024/03/29/4

 

RedHat filed the CVE today, and it now has a preliminary criticality score of 10: https://nvd.nist.gov/vuln/detail/CVE-2024-3094

 

In addition to Red Hat, several other Linux derivatives are affected.

 

Xz should be either uninstalled (if feasible) or rolled back to an earlier version when you are using this library. A minimum of an examination is required.

 

Especially if you are using Veeam proxys and/or Veeam hardened repositories based on Linux you should take action to protect your environment...

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social

14 comments

Chris.Childerhose
Userlevel 7
Badge +20

Thanks for sharing this as I am working on Hardened repositories now and will keep this in mind.  I need to check in to Ubuntu and see if affected. 👍

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Geoff Burke
Userlevel 7
Badge +22

It is pretty bad

 

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
dips
Userlevel 7
Badge +7

Have to say, this is one of the most insane things I have come across.

There is a great breakdown here: https://boehs.org/node/everything-i-know-about-the-xz-backdoor

For those folks who are utilising Microsoft Defender XDR, KQL queries for this can be found here:

https://github.com/cyb3rmik3/KQL-threat-hunting-queries/blob/main/01.ThreatHunting/CVE-2024-3094-internet-facing-devices.md

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk
dips
Userlevel 7
Badge +7

YARA rule here: https://github.com/Neo23x0/signature-base/blob/master/yara/bkdr_xz_util_cve_2024_3094.yar

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk
Rick Vanover
Userlevel 7
Badge +10

Interesting, I’m updating my Ubuntu Linux systems they won’t update xz. They stay at 5.2.4 and I actually think it is good as it seems the payload came in at 5.6 onwards as it reads here:NVD - CVE-2024-3094 (nist.gov)

 

 

Twitter @RickVanover | Email: rick.vanover@veeam.com
Mildur
Userlevel 7
Badge +12

@Rick Vanover

Ubuntu has it‘s own note about the CVE.

No released versions of Ubuntu are affected:

https://ubuntu.com/security/CVE-2024-3094
 

Best,

Fabian

Product Management Analyst @ Veeam Software
Rick Vanover
Userlevel 7
Badge +10

Hey thanks @Mildur → This is great for me on Ubuntu :)

Twitter @RickVanover | Email: rick.vanover@veeam.com
leduardoserrano
Userlevel 7
Badge +6

YARA rule here: https://github.com/Neo23x0/signature-base/blob/master/yara/bkdr_xz_util_cve_2024_3094.yar

Thanks so much for sharing, @dips !

Luiz Eduardo Serrano. Cloud Architect, Systems Engineer for Veeam and Object First. Veeam Vanguard/VMCA 2024/VMCE. VMware Tanzu Vanguard 2024/VCP Security/VMware User Group, 4xHPE Master ASE/Instructor, RedHat Ansible SE/Instructor, AWS Architect, Nutanix NCA, Cisco-HPE Cloud & DC champion. My blog: https://cloudnroll.com
leduardoserrano
Userlevel 7
Badge +6

Here is Red Hat's statement:

“Current investigation indicates that the packages are only present in Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. No versions of Red Hat Enterprise Linux (RHEL) are affected”.

CVE-2024-3094- Red Hat Customer Portal

Luiz Eduardo Serrano. Cloud Architect, Systems Engineer for Veeam and Object First. Veeam Vanguard/VMCA 2024/VMCE. VMware Tanzu Vanguard 2024/VCP Security/VMware User Group, 4xHPE Master ASE/Instructor, RedHat Ansible SE/Instructor, AWS Architect, Nutanix NCA, Cisco-HPE Cloud & DC champion. My blog: https://cloudnroll.com
RonV
Userlevel 5
Badge

Here’s a nice article that goes into the background a bit:

 

https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

coolsport00
Userlevel 7
Badge +17

Interesting, I’m updating my Ubuntu Linux systems they won’t update xz. They stay at 5.2.4 and I actually think it is good as it seems the payload came in at 5.6 onwards as it reads here:NVD - CVE-2024-3094 (nist.gov)

 

 

That’s cool it’s not :) I just spot-checked a server or 2 and same...thankfully. I also just posted about free online scanner to help out with this.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
dloseke
Userlevel 7
Badge +6

Good to hear that Ubuntu wasn’t affected...I checked my Ubuntu boxes with the below command previously from here, but my understanding is that this particular version of XZ utils hadn’t rolled out to most folks yet because only certain distributions where targeted to include the new package version.

dpkg-query -l '*xz* 

 

I was looking for my reference that I read read on this but didn’t find it….that said, I found an interesting article that details the social aspect of the supply chain attack (a bit less on the technical side of how it worked) and how backdoor was inserted into the code and how there was a push to insert the updated XZ Utils into Red Hat and other linux distro’s.  Kinda scary how bad it would have been had someone not accidentally found it.

https://theintercept.com/2024/04/03/linux-hack-xz-utils-backdoor/

Derek M. Loseke, Senior Systems Engineer | Veeam Legend 2022-2023 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
dloseke
Userlevel 7
Badge +6

Here’s a nice article that goes into the background a bit:

 

https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

This is a great article that get’s pretty technical but is understandable.  Pretty amazing how well this attack was created.  Thanks for linking it!

Derek M. Loseke, Senior Systems Engineer | Veeam Legend 2022-2023 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
dips
Userlevel 7
Badge +7

One more article that is worth a read:

https://isc.sans.edu/diary/The+amazingly+scary+xz+sshd+backdoor/30802/

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk

Comment


Terms & Conditions