How to find systems impacted by CVE-2024-3094 (XZ Utils backdoor)

Updated

Latest CVE-2024-3094 (XZ Utils backdoor) coverage #

Andres Freund discovered a malicious backdoor in a recent revision of the XZ Utils package. This backdoor was introduced by a threat actor who spent years building trust in the open source community before taking over maintenance of the XZ Utils project. After gaining access as a maintainer, the threat actor introduced the malicious code in multiple obfuscated steps. This backdoor could allow the threat actor to run arbitrary commands without authentication through the OpenSSH daemon.

CVE-2024-3094 is rated critical with CVSS score of 10.0.

An overview of this issue can be found at ArsTechnica.

Russ Cox published a detailed timeline.

What is the impact? #

Successful exploitation of this backdoor would allow the actor responsible to run arbitrary system commands without authentication.

Anthony Weems built a fantastic proof-of-concept and demo kit for reproducing the backdoor.

Are updates or workarounds available? #

This backdoor was enabled when a build was run on an x86_64 (amd64) system that was building a Debian "DEB" or Red Hat "RPM" package. The issue was caught prior to widespread release and the list of affected distributions is small as a result.

The following distributions shipped a combination of packages that resulted in a backdoored SSH daemon:

Additional information about this issue can be found across the web and in various distribution-specific trackers:

How to find potentially affected systems with runZero #

The runZero team is investigating whether a direct check against SSH is possible.

In the meantime, we suggest using this runZero Service Inventory query:

_asset.protocol:ssh protocol:ssh (banner:="SSH-2.0-OpenSSH_9.6" OR banner:="SSH-2.0-OpenSSH_9.6p1%Debian%" OR banner:="SSH-2.0-OpenSSH_9.7p1%Debian%")

This query is based on the following logic:

1. Identify any instances of Fedora Rawhide or OpenSUSE Tumbleweed & MicroOS in your environment. The easiest way to find potentially affected installations is to look for OpenSSH servers running version 9.6, which is a recent release specific to those rolling distributions.

2. Identify any instances of Debian or Kali rolling builds. The easiest way to do this is by looking for recently-released (9.6 & 9.7) Debian-flavored OpenSSH services, as these packages were shipped in the Debian unstable and Kali Linux rolling releases.

Written by HD Moore

HD Moore is the co-founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.
More about HD Moore

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King

Written by Tom Sellers

More about Tom Sellers
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
How to find Palo Alto Network firewalls running PAN-OS 11.1, 11.0, and 10.2
Palo Alto Networks disclosed that versions of their PAN-OS software have a vulnerability allowing for remote command injection. Here's how to find...
Rapid Response
How to find CrushFTP services
CrushFTP disclosed that versions of their file transfer software have a vulnerability allowing unauthenticated file system access. Here's how to...
Rapid Response
How to find outdated lighttpd services
Outdated versions of the open source lighttpd web server are vulnerable to a handful of security vulnerabilities
Rapid Response
How to find D-Link NAS Storage devices
D-Link has disclosed multiple vulnerabilities in their D-Link NAS Storage products. Here's how to find potentially impacted devices.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved