XZ Utils Data Compression Library

Steps to Address CVE-2024-3094

Written by

— in

ThreatIntelligenceLab.com

CVE-2024-3094 has been identified as a severe vulnerability within XZ Utils. The widely used XZ format compression utilities is found in most Linux distributions.

This loophole could enable malicious actors to bypass SSHD authentication1, paving the way for unauthorized remote system access.

What Happened?

The heart of the issue lies in versions 5.6.0 and 5.6.1 of the xz libraries, where malicious code was found.

Andres Freund, a PostgreSQL developer at Microsoft, stumbled upon this discovery unexpectedly. He noticed abnormal behavior in liblzma (a component of the xz package) on Debian sid installations.

Through his investigation, Freund revealed that the xz repository and tarballs had been compromised, embedding a backdoor into the software2.

Understanding CVE-2024-3094

The malicious injection within the compromised library versions is notably obfuscated, hinting at a deliberate attempt to avoid detection.

The compromised code affects the build process of the liblzma library. Leading to alterations in how the library interacts with data.

This, in turn, could meddle with the authentication processes in sshd via systemd.

It is seen as an exploitation vector that could grant attackers extensive access to the system.

Here are a few steps to mitigate and investigate CVE-2024-3094:

  • Immediate Review and Update: Assess your systems for the affected XZ Utils versions and downgrade them immediately 5.4.6.
  • Monitor for Anomalies: Keep a vigilant eye on system logs and authentication mechanisms. Anomalies in these areas could indicate exploitation attempts or success.
  • Embrace a Culture of Security: Reinforce the necessity for a security-first mindset.
  • Engage with the Security Community: Share insights and collabore on threat intelligence.

Tools

Read more about CVE-2024-3094

NIST on CVE-2024-3094

XZ Utils Data Compression Library
XZ Utils Data Compression Library CVE

CISA on CVE-2024-3094

SYSDIG on CVE-2024-3094

  1. https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/ ↩︎
  2. https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ ↩︎

Written by