Latest CVE-2024-3094 (XZ Utils backdoor) coverage #
Andres Freund discovered a malicious backdoor in a recent revision of the XZ Utils package. This backdoor was introduced by a threat actor who spent years building trust in the open source community before taking over maintenance of the XZ Utils project. After gaining access as a maintainer, the threat actor introduced the malicious code in multiple obfuscated steps. This backdoor could allow the threat actor to run arbitrary commands without authentication through the OpenSSH daemon.
CVE-2024-3094 is rated critical with CVSS score of 10.0.
An overview of this issue can be found at ArsTechnica.
Russ Cox published a detailed timeline.
What is the impact? #
Successful exploitation of this backdoor would allow the actor responsible to run arbitrary system commands without authentication.
Anthony Weems built a fantastic proof-of-concept and demo kit for reproducing the backdoor.
Are updates or workarounds available? #
This backdoor was enabled when a build was run on an x86_64 (amd64) system that was building a Debian "DEB" or Red Hat "RPM" package. The issue was caught prior to widespread release and the list of affected distributions is small as a result.
The following distributions shipped a combination of packages that resulted in a backdoored SSH daemon:
- Red Hat Fedora Linux (Rawhide)
- Debian Linux (unstable and testing builds)
- Kali Linux (rolling release)
- OpenSUSE Linux (Tumbleweed & MicroOS)
Additional information about this issue can be found across the web and in various distribution-specific trackers:
How to find potentially affected systems with runZero #
The runZero team is investigating whether a direct check against SSH is possible.
In the meantime, we suggest using this runZero Service Inventory query:
_asset.protocol:ssh protocol:ssh (banner:="SSH-2.0-OpenSSH_9.6" OR banner:="SSH-2.0-OpenSSH_9.6p1%Debian%" OR banner:="SSH-2.0-OpenSSH_9.7p1%Debian%")This query is based on the following logic:
1. Identify any instances of Fedora Rawhide or OpenSUSE Tumbleweed & MicroOS in your environment. The easiest way to find potentially affected installations is to look for OpenSSH servers running version 9.6, which is a recent release specific to those rolling distributions.
2. Identify any instances of Debian or Kali rolling builds. The easiest way to do this is by looking for recently-released (9.6 & 9.7) Debian-flavored OpenSSH services, as these packages were shipped in the Debian unstable and Kali Linux rolling releases.
