A secret backdoor was accidentally discovered in Linux XZ Utils (CVE-2024-3094) 

A secret backdoor was accidentally discovered in Linux XZ Utils (CVE-2024-3094) 

The world of open source is in a state of alarm as a vulnerability of 10 CVSS rating haunts Linux-based distributions like Debian, Kali, and others affected by this highly sophisticated, carefully orchestrated ‘log4shell’ level of threat. Cybersecurity experts and researchers are scratching their heads over figuring out how the security vulnerability works.  

The xz backdoor vulnerability, labeled CVE-2024-3094, has been assigned a critical severity with a CVSS rating of 10(the highest!). It affects Debian and Red Hat (widely used Linux distributions), making it dangerous.  

As per experts, the backdoor is a result of years and years of attacker/attackers spending time working on it to keep it hidden. Some experts even speculate that it is a result of xz Utils not being updated frequently and more often and quickly for a long time. 

What is the XZ Utils? 

XZ Utils is a highly used compression tool for Linux that is available on most distributions of Linux and Unix OSes. It comprises open-source tools and libraries that are made for the compression and decompression of XZ formats. 

What is the security bug, and how was it found? 

Here is a non-jargonized explanation:

Imagine a long-running café run by its founder who happens to be a barista. It is known for its wide range of beverages. At a point, a new barista joins the café, and he helps the café become successful. However, after some years, a cashier working at the café accidentally noticed suspicious activity, like some of the condiments missing, the bill for supplies increasing, etc. It is how they know that something is going wrong and at a large scale.   

The xz vulnerability was discovered accidentally by a Microsoft developer named Andreas Freund, who was troubleshooting problems encountered on the Debian system, specifically with SSH, which is used to remotely log into devices connected to the internet.  

He found that upon logging in, multiple errors were generated on Valgrind, which is used to monitor memory consumption. The log-in was consuming high amounts of CPU cycles.  

Upon digging into the problem, he found that the recent update in xz Utils had caused this behavior, which was a malicious actor trying to intentionally plant a malicious backdoor entry into the xz Utils software. On the 29th of March, he officially informed the Open Source Community about the security vulnerability found in xz/liblzma 5.6.0 and 5.6.1 which was a backdoor. 

What threat does the xz backdoor pose? 

According to experts who have reverse-engineered the security vulnerability for coming up with patches and updates, the vulnerability allows hackers to bypass and control sshd, which is responsible for making SSH-based connections that would further allow them to execute malicious commands.  

The backdoor uses a five-stage loader that utilizes techniques to camouflage itself and allow the entry of malicious new payloads without the need for multiple changes. The actual code that the attacker wanted to run is unknown but the backdoor could be used to steal encrypted keys and install malicious software.  

If it hadn’t been discovered earlier, it would have been one of the biggest carefully orchestrated attacks that would have impacted millions of Linux-based systems worldwide.  

SharkStriker’s recommendations and actions 

Recommendations 

• Users who have installed or upgraded to the latest version are advised to downgrade to earlier version (earlier versions like 5.4.6) immediately 
• Users with affected distributions are advised to change all the associated credentials that could be stolen from the system by threat actors 

Actions 

• SharkStriker has issued a detailed advisory to all its partners and customers warning about the said vulnerability 
• The SOC team has been continuously monitoring for further developments in the threat landscape 
• A campaign to check/identify the base version of Linux/Container/ami has been initiated  
• Comprehensive security audits have been conducted to identify and remediate potential vulnerabilities  
• The team has developed detection rules against CVE-2024-3094 
• Customers can access the STRIEGO platform dashboards to keep track of their cybersecurity posture