Is the XZ Utils CVE-2024-3094 as bad as we fear?

TL;DR

• The attack is believed to be a nation-state level attack, and only the rogue developer and groups with which the compromised key has been shared would be able to gain access. As such, CVE-2024-3094 is not likely to be widely exploited.
• Check Linux systems that expose SSH to the internet for affected versions of 'xz-utils', downgrade the version and restart the 'sshd' service.
• Remain vigilant of any further developments or other impacted services. This post will be updated if any such items appear.

What is xz-utils CVE-2024-3094?

Over the Easter weekend (29 March - 1 April 2024) a major vulnerability within 'xz-utils' was identified, the likes of which that hasn't been seen before. Unlike other vulnerabilities, this one appears to have been deliberately added by a maintainer of the project. This apparently reckless act has grabbed everyone's attention within the security community.

CVE-2024-3094 allows for an unauthenticated attacker to gain control over a server which has SSH exposed to the internet, which is as bad as a vulnerability can get. However, thankfully there is some good news - it was caught before it propagated throughout all major Linux distributions.

How did the xz-utils vulnerability (CVE-2024-3094) happen?

The more that people look at CVE-2024-3094 and the chain of events that lead up to its discovery, the more people are really understanding how sophisticated this attack is.

'xz-utils' is an open-source piece of software that is used for compression. It is utilized by many other applications and is considered trusted by the community. The application is fairly ubiquitous as it is included within almost all distributions of Linux.

The 'xz-utils' project has been maintained by a single developer over the years (with contributions from others). The maintainer at the center of this backdoor, Jia Tan (JiaT75), built up credibility over multiple years (since 2021), earning themselves a position as the project's second maintainer in 2022. Over time, the developer contributed to the project with meaningful updates and patches. However, some of these implementations are now thought by the community to be precursors that allowed for the insertion of the backdoor code into the project, by turning off key defenses.

In February of 2024, the developer added in the backdoor code which is at the heart of CVE-2024-3094. This backdoor file was heavily obfuscated and disguised as a testing file for the project, however it is now known that this file was never used in any unit tests within the project.

This sophisticated backdoor targets the interaction between an OpenSSH server and 'xz-utils', by hijacking the authentication step. The backdoor will only respond to a single private key which is currently only known by the attacker, and the backdoor also includes a killswitch that allows the attacker to turn the vulnerability off.

The saving grace for the internet as a whole came from Andres Freund who raised the alarm. He was able to spot this early and raise his concerns to the right people which prevented the mass-proliferation of what could've been one of the worst vulnerabilities to make it out into the world.

A more complete timeline can be found within the additional reading section at the bottom of this page.

What systems are at risk?

A number of conditions need to be met for a system to be vulnerable. At the time of writing this post, the following conditions must be met:

• Have version '5.6.0-5.6.1' of xz-utils installed - note that this mostly affects unstable branches of the main Linux distributions that are used in a server capacity. You can check if your distribution is affected by examining the repology page for xz
• Using a distribution of Linux that utilizes 'systemd'
• Exposes a publicly accessible instance of 'sshd'

What do I need to do?

As it currently stands, we advise checking for installed versions of 'xz' and ensuring that they are not '5.6.0-5.6.1'. The recommendation is to downgrade the version of 'xz-utils' and restart the 'sshd' service if you are.

If you are not using these versions, then there is no further action to be taken at present. We recommend keeping an eye on developments as they happen, as such this post will be updated with any pertinent information.

Additional reading and research

• An incredibly well put together timeline by Russ Cox which outlines the long buildup to the discovery this past weekend: https://research.swtch.com/xz-timeline
• Fantastic technical analysis put together by Sam James: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27‍
• A handy page for checking if your OS is utilizing an affected version: https://repology.org/project/xz/versions‍
• An exploit demo with a modified known key to show what is possible and a honeypot: https://github.com/amlweems/xzbot‍
• Research into the presence of a killswitch: https://gist.github.com/sgammon/ec604c3fabd1a22dd3cdc381b736b03e‍

‍Changelog

02/04/2024 1500hrs - Initial Post

‍