Dogan Genc ⚡️
CVE-2024-3094

CVE-2024-3094


Backdoor

About CVE-2024-3094

On March 28, 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10. This vulnerability is a result of a supply chain compromise affecting the latest XZ utilities and libraries. XZ Utils is data compression software included in major Linux distributions.
Versions 5.6.0 and 5.6.1 of the libraries contain malicious code that alters functions during the liblzma compilation process. Liblzma is a data compression library.
This malicious code leads to a modified liblzma library that could potentially allow unauthorized access under certain conditions, acting as a backdoor on affected systems.

Affected Versions and Mitigation Actions

alt text

The affected version of xz-utils was only present in the noble-proposed repository and was removed before being moved to the main repository. Published versions of Ubuntu are not affected by this issue.

What is CVE-2024-3094 and how it is working

The purpose of the malicious code introduced in CVE-2024-3094 vulnerability is to inject code into the OpenSSH server running on the victim’s computer. This injected code enables the attacker to connect to the victim’s computer using a specific private key and effectively take over the entire victim machine.

  • The malicious code injects into the OpenSSH server using the liblzma library.
  • It alters the RSA_public_decrypt function used to verify RSA signatures.
  • The malicious code checks the "N" value within RSA.
  • It decrypts the "N" value with pre-written code.
  • The decrypted data is checked using the Ed448 elliptic curve signing algorithm. This asymmetric encryption algorithm allows only the attacker to connect to this computer.
  • Additionally, the signatures used to connect to the victim's computer are unique, meaning one signature cannot be used to access multiple victim computers.
  • If the data is valid, the sent command is executed as a system command using "system()".
  • If the data is not valid, it transparently continues with the original implementation of RSA_public_decrypt.

    • The complex nature of this attack and the use of high-level cryptographic algorithms led many to believe it could be a nation-state-level cyberattack.

    Protection from CVE-2024-3094

    Using a different version of XZ other than version 5.6.0 or 5.6.1 can mitigate the vulnerability.
    You can run this command to check for the vulnerability.

    strings `which xz` | grep '5\.6\.[01]'

    Sources

  • https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/
  • https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094
  • https://www.openwall.com/lists/oss-security/2024/03/29/4
    • © 2024