Detecting and Fixing CVE-2024-3094

Recently, on March 29, 2024, Andres Freund, a researcher not typically focused on security matters, stumbled upon a significant issue while logging in via SSH on his Debian machine. This issue led to the revelation of a critical vulnerability with CVSS score of 10.0, CVE-2024-3094, in versions 5.6.0 and 5.6.1 of XZ utilities. What's more concerning is that XZ utilities are also utilized by OpenSSH, magnifying the potential impact of this discovery.

‍

‍

How It Works

The method employed by the attacker, identified as Jia Tan (Github user - JiaT75), involves a cunning approach (here you can find his activity in the past 2 years on this project). Rather than directly modifying the source code, a malicious code was covertly committed to the XZ project's tests. During the software build process, this code is injected into the liblzma library responsible for compression operations. The injected code can be found here.

‍

‍

‍

Understanding the Vulnerability

Initially mistaken for an authentication bypass, deeper investigation revealed CVE-2024-3094 to be a Remote Code Execution (RCE) vulnerability. This vulnerability triggers the download and execution of malicious payloads upon connection to the SSH server. Samples of known payloads circulating include:
- 4f0cf1d2a2d44b75079b3ea5ed28fe54
- d26cefd934b33b174a795760fc79e6b5
- d302c6cb2fa1c03c710fa5285651530f
- 53d82bb511b71a5d4794cf2d8a2072c1
- 212ffa0b24bb7d749532425a46764433

‍

‍

‍

Impact

The ramifications of CVE-2024-3094 extend to operating systems that adopted the new version of XZ utilities. Affected systems include certain versions of Debian (excluding stable), RedHat (Fedora 41 +Rawhide), some OpenSUSE, and specific releases of Kali Linux, etc. Notably, Amazon Linux remains unscathed by this vulnerability.

‍

‍

‍

Mitigation

To address CVE-2024-3094 and safeguard your systems:

‍
1. Utilize scripts or YARA rules to scan for and detect the vulnerability.

‍
2. Prevent the execution of known malicious payloads by verifying against their hashes.

‍
3. Restrict access to affected instances from the public internet.

‍
4. Consider upgrading the entire operating system or downgrading XZ utilities to versions predating 5.6.0.

‍

‍

‍

Empower Your Vulnerability Response with DevOcean

Experience a new level of vulnerability management with DevOcean. Say goodbye to manual processes and hello to automated vulnerability response. Detect and address threats like CVE-2024-3094 effortlessly, driving faster remediation workflows and ensuring your systems stay secure. Take charge of your cybersecurity journey today with DevOcean.

‍

‍

‍

References

For further information and support, refer to the following resources:

• https://git.tukaani.org/
• https://boehs.org/node/everything-i-know-about-the-xz-backdoor
• https://twitter.com/dinodaizovi/status/1774156337905033515?t=TSmJzXJUvbrFpjdpqCq8SQ&s=08
• https://www.youtube.com/watch?v=jqjtNDtbDNI
• https://openwall.com/lists/oss-security/2024/03/29/4
• https://lists.debian.org/debian-security-announce/2024/msg00057.html‍
• https://repology.org/project/xz/versions
• https://openwall.com/lists/oss-security/2024/03/29/4/1
• https://github.com/FabioBaroni/CVE-2024-3094-checker/blob/main/CVE-2024-3094-checker.sh
• https://twitter.com/RedDrip7/status/1774067807854235714?s=20
• https://github.com/Neo23x0/signature-base/blob/master/yara/bkdr_xz_util_cve_2024_3094.yar

‍

‍

‍