Unauthorized access to Linux systems through compromised XZ utility

ADVISORY!

TLP : CLEAR

Date : 01/04/2024

REF NO : CERT / 2024/04/24

Severity Level: High

Components Affected

XZ-utils packageversions 5.6.0 and above

Overview

A vulnerability was identified in XZ Utils within Linux Distributions. A remote attacker could exploit this vulnerability to trigger remote code execution and security restriction bypass on the targeted system.

Description

XZ Utils is a data compression software that may be present in Linux distributions. A malicious code was discovered in the upstream tarballs of xzthat may allow unauthorized access to affected systems.

The liblzma(part of the xz package) build process extracts a prebuilt object file from a disguised test file existing in the source code through a series of complex obfuscations, which is then used to modify specific functions in the liblzma code.

The resulting malicious build interferes with authentication in sshd via systemd and could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.

Impact

Remote Code Execution
Security Restriction Bypass

Solution/ Workarounds

Users are advised to downgrade XZ Utils version to the uncompromised stable 5.4 6. Also, refer the respective vendors advisory for appropriate solution/update/mitigations methods.

Reference

RedHat
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://access.redhat.com/security/cve/CVE-2024-3094

OPENWALL
https://www.openwall.com/lists/oss-security/2024/03/29/4

AWS
https://aws.amazon.com/security/security-bulletins/AWS-2024-002/

FreeBSD
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

Debian
https://security-tracker.debian.org/tracker/CVE-2024-3094

CVE Name
CVE-2024-3094

Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.