10 CVE-2024-3094

Enriched by CISA Exploit

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
https://nvd.nist.gov/vuln/detail/CVE-2024-3094

References

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2024/03/29/10
http://www.openwall.com/lists/oss-security/2024/03/29/12
http://www.openwall.com/lists/oss-security/2024/03/29/4
http://www.openwall.com/lists/oss-security/2024/03/29/5
http://www.openwall.com/lists/oss-security/2024/03/29/8
http://www.openwall.com/lists/oss-security/2024/03/30/12
http://www.openwall.com/lists/oss-security/2024/03/30/27
http://www.openwall.com/lists/oss-security/2024/03/30/36
http://www.openwall.com/lists/oss-security/2024/03/30/5
http://www.openwall.com/lists/oss-security/2024/04/16/5
https://access.redhat.com/security/cve/CVE-2024-3094 Vendor Advisory
https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larg...
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-... Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ Third Party Advisory
https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
https://boehs.org/node/everything-i-know-about-the-xz-backdoor Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 Mailing List Vendor Advisory
https://bugs.gentoo.org/928134 Issue Tracking Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2272210 Issue Tracking Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1222124 Issue Tracking Third Party Advisory
https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-... Third Party Advisory
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 Third Party Advisory
https://github.com/advisories/GHSA-rxwq-x6h5-x525 Third Party Advisory
https://github.com/amlweems/xzbot
https://github.com/karcherm/xz-malware Third Party Advisory
https://gynvael.coldwind.pl/?lang=en&id=782 Technical Description Third Party Advisory
https://lists.debian.org/debian-security-announce/2024/msg00057.html Mailing List Third Party Advisory
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html Third Party Advisory
https://lwn.net/Articles/967180/ Issue Tracking Third Party Advisory
https://news.ycombinator.com/item?id=39865810 Issue Tracking Third Party Advisory
https://news.ycombinator.com/item?id=39877267 Issue Tracking
https://news.ycombinator.com/item?id=39895344
https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/ Third Party Advisory
https://research.swtch.com/xz-script
https://research.swtch.com/xz-timeline
https://security-tracker.debian.org/tracker/CVE-2024-3094 Third Party Advisory
https://security.alpinelinux.org/vuln/CVE-2024-3094 Third Party Advisory
https://security.archlinux.org/CVE-2024-3094 Third Party Advisory
https://security.netapp.com/advisory/ntap-20240402-0001/
https://tukaani.org/xz-backdoor/ Issue Tracking Vendor Advisory
https://twitter.com/LetsDefendIO/status/1774804387417751958 Third Party Advisory
https://twitter.com/debian/status/1774219194638409898 Press/Media Coverage
https://twitter.com/infosecb/status/1774595540233167206 Press/Media Coverage
https://twitter.com/infosecb/status/1774597228864139400 Press/Media Coverage
https://ubuntu.com/security/CVE-2024-3094 Third Party Advisory
https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-i...
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-comp... Third Party Advisory US Government Resource
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-b... Third Party Advisory
https://www.kali.org/blog/about-the-xz-backdoor/
https://www.openwall.com/lists/oss-security/2024/03/29/4 Mailing List
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users Vendor Advisory
https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-... Third Party Advisory
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ Press/Media Coverage
https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
https://xeiaso.net/notes/2024/xz-vuln/ Third Party Advisory

secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2024-3094 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2272210 Issue Tracking Vendor Advisory
https://www.openwall.com/lists/oss-security/2024/03/29/4 Mailing List
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users Vendor Advisory

AFFECTED (from MITRE)

Vendor	Product	Versions
N/A	N/A	5.6.0 [affected] 5.6.1 [affected]
Red Hat	Red Hat Enterprise Linux 10
Red Hat	Red Hat Enterprise Linux 6
Red Hat	Red Hat Enterprise Linux 7
Red Hat	Red Hat Enterprise Linux 8
Red Hat	Red Hat Enterprise Linux 9
Red Hat	Red Hat JBoss Enterprise Application Platform 8
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:tukaani:xz:5.6.0:::::::*
cpe:2.3:a:tukaani:xz:5.6.1:::::::*

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
https://github.com/byinarie/CVE-2024-3094-info
https://github.com/MrBUGLF/XZ-Utils_CVE-2024-3094
https://github.com/Juul/xz-backdoor-scan
https://github.com/shefirot/CVE-2024-3094

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
442	Infected Software An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.	High
448	Embed Virus into DLL An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.	High
636	Hiding Malicious Data or Code within Files Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.	High

MITRE

Techniques

id	description
T1001.002	Data Obfuscation: Steganography
T1027.003	Obfuscated Files or Information: Steganography
T1027.004	Obfuscated Files or Information: Compile After Delivery
T1027.009	Obfuscated Files or Information: Embedded Payloads
T1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools
T1195.002	Supply Chain Compromise: Compromise Software Supply Chain
T1218.001	Signed Binary Proxy Execution: Compiled HTML File
T1221	Template Injection
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1031	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
M1040	On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.
M1016	Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.
M1016	Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.
M1021	Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files
M1017	Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee