CVE-2024-3094: malicious code in Linux distributions | Kaspersky official blog

CVE-2024-3094: malicious code in Linux distributions | Kaspersky official blog

Unknown actors implanted malicious code into the versions 5.6.0 and 5.6.1 of the open source compression tools set XZ Utils. To make matters worse, Trojanized utilities managed to find their way into several popular builds of Linux released this March, so this incident could be regarded as a supply chain attack. This vulnerability has been assigned the number CVE-2024-3094.

What makes this malicious implant so dangerous?

Initially, various researchers claimed that this backdoor allowed attackers to bypass the sshd (the OpenSSH server process) authentication, and remotely gain unauthorized access to the operating system. However, judging by the latest information, this vulnerability should not be classified as an “authentication bypass”, but as a “remote code execution” (RCE). The backdoor intercepts the RSA_public_decrypt function, verifies the host’s signature using the fixed key Ed448 and, if verified successfully, executes malicious code passed by the host via the system() function, leaving no traces in the sshd logs.

Which Linux distributions contain malicious utilities and which are safe?

It is known that XZ Utils versions 5.6.0 and 5.6.1 were included in the March builds of the following Linux distributions:

Kali Linux, but according to the official blog, only those that were available between March 26 and March 29 (the blog also contains instructions for checking for vulnerable versions of utilities);
openSUSE Tumbleweed and openSUSE MicroOS, available from March 7 to March 28;
Fedora 41, Fedora Rawhide and Fedora Linux 40 beta;
Debian (testing, unstable and experimental distributions only);
Arch Linux – container images available from February 29 to March 29. However, the website states that due to the implementation peculiarities this attack vector will not work in Arch Linux, but they still strongly recommend updating the system.

According to official information, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise, openSUSE Leap, Debian Stable are not vulnerable. As for other distributions it is advised to check them for the presence of Trojanized versions of XZ Utils manually.

How did the malicious code was implanted into the XZ Utils?

Apparently, it was the usual case of control transfer. The person who initially maintained the XZ Libs project on GitHub passed control of the repository to the account, which has been contributing to a number of repositories related to data compression for several years. And at some point, new maintainer implanted a backdoor to the project code.

How to stay safe?

The US Cybersecurity and Infrastructure Security Agency (CISA) recommends anyone who installed or updated affected operating systems in March to downgrade XZ Utils to an earlier version (for example, version 5.4.6) immediately. And also to start hunting for malicious activity.

If you have installed a distribution with a vulnerable version of XZ Utils, it also makes sense to change all credentials which could potentially be stolen from the system by the threat actors.

You can detect the presence of a vulnerability using the Yara rule for CVE-2024-3094.

Kaspersky official blog – ​Read More