XZ Utils Supply Chain Compromise

THE THREAT

On March 29th, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the open-source community, reported on a critical vulnerability impacting XZ Utils, a general-purpose data-compression library included in many Linux distributions. Tracked as CVE-2024-3094 (CVSS: 10), the vulnerability stems from a supply chain compromise which resulted in malicious code being included in versions 5.6.0 and 5.6.1 of the XZ libraries.

The malicious code modifies the build process of liblzma, a component of XZ Utils, resulting in a compromised liblzma library. The malicious build interferes with authentication in sshd via systemd. The Secure Shell (SSH) protocol is a common method for securely connecting to remote systems; sshd is the service that allows access. In an attack scenario, a threat actor could use this interference to break the sshd authentication, enabling them to execute code on the system remotely.

This topic is actively developing, and additional details are expected to emerge. Organizations are strongly recommended to immediately perform the recommended mitigation actions to prevent abuse.

What we’re doing about it

• eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2024-3094
• The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities

What you should do about it

Organizations, developers, and users are recommended to:

• Downgrade XZ Utils to an uncompromised version, such as XZ Utils 5.4.6
• Hunt for any malicious activity and report any positive findings to CISA

See Additional Information for a full list of known impacted products.

Additional information

On March 29th, Andres Freund (Principal Software Engineer at Microsoft) emailed Open Source Security (OSS) warning the community of a backdoor discovered in xz/liblzma. While performing system benchmarking on a Debian system, Andres observed sshd processes utilizing an abnormal amount of CPU time, which led to the finding that liblzma, part of the XZ package, was responsible for the CPU usage. Further investigation led to the discovery of the backdoored XZ tarballs (TAR archives).

The attack began with the creation of the GitHub account JiaT75 (Jia Tan) in 2021, which initially contributed to related projects before targeting XZ Utils. In January 2023, Jia Tan merged their first commit to the XZ project and would continue to make commits throughout 2023. In February and March 2024, JiaT75 issued commits for versions 5.6.0 and 5.6.1 of XZ Utils that introduced the backdoor. In the following weeks, Tan and others made requests to the developers of Ubuntu, Red Hat, and Debian to merge the updates into their operating systems.

In an attempt to avoid detection, “the malicious injection present in the XZ versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present” states Red Hat.

On April 1st, Anthony Weems (Cloud Vulnerability Researcher at Google) published Proof-of-Concept (PoC) exploit code for CVE-2024-3094. However, the payloads are signed with an ED448 (an elliptic curve signing algorithm) key, so Anthony had to use his own key for testing. This means to exploit CVE-2024-3094 in real-world attacks, the threat actor would need to have knowledge of the ED448 private key used to sign the payloads.

At this time, CVE-2024-3094 is confirmed to impact:

• Red Hat
  • Fedora Linux 40 and Fedora Rawhide
• Debian
  • Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 up to and including 5.6.1-1
• Kali
  • The impact of this vulnerability affected Kali between March 26th to March 29th, 2024
• OpenSUSE
  • OpenSUSE Tumbleweed and OpenSUSE Micro OS between March 7th and March 28th, 2024
• Alpine
  • 5.6 versions prior to 5.6.1-r2
• Arch
  • Installation medium 2024.03.01
  • Virtual machine images 20240301.218094 and 20240315.221711
  • Container images created between and including 2024-02-24 and 2024-03-28

Unaffected distros

• Gentoo
  • Our current understanding of the backdoor is that is does not affect Gentoo systems, because
    1. the backdoor only appears to be included on specific systems and Gentoo does not qualify
    2. the backdoor, as it is currently understood, targets OpenSSH patched to work with systemd-notify support
  • Gentoo does not support or include these patches
  • Analysis is still ongoing, however, and additional vectors may still be identified
• FreeBSD
  • FreeBSD is not affected by the recently announced backdoor included in the 5.6.0 and 5.6.1 XZ releases.
  • All supported FreeBSD releases include versions of XZ that predate the affected releases.
• Ubuntu
  • The affected version of xz-utils was only in noble-proposed, and was removed before migrating to noble itself
  • No released versions of Ubuntu were affected by this issue.

macOS users utilizing homebrew are potentially impacted

• If Python v3 was installed using homebrew, XZ v5.6.1 was potentially installed as a dependency
• Homebrew has reverted back to XZ v5.4.6
• `brew update && brew upgrade` will revert back

References:

[1] https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-3094
[3] https://www.openwall.com/lists/oss-security/2024/03/29/4
[4] https://mastodon.social/@AndresFreundTec/112180406142695845
[5] https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
[6] https://twitter.com/amlweems/status/1774819428208689241
[7] https://github.com/amlweems/xzbot
[8] https://boehs.org/node/everything-i-know-about-the-xz-backdoor
[9] https://twitter.com/fr0gger_/status/1774342248437813525
[10] https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/
[11] https://www.kaspersky.com/blog/cve-2024-3094-vulnerability-backdoor/50873/