Malicious code creating a backdoor was recently discovered in XZ Utils, an essential compression utility included in many Linux distributions. This could allow a very specific malicious actor to gain full control of an affected host. BreachRisk cannot detect this threat. (CVE-2024-3094)
Background
XZ Utils is a package included in various major Linux distributions that handle the compressing/decompressing of .xz files. This package is essential as it is not only used in Linux distributions, but also serves as a dependency for a number of other Linux packages.
Red Hat warned on Friday, March 28, 2024 that malicious code was introduced into the publicly available download package for versions 5.6.0 and 5.6.1. The malicious code modifies an existing component of the XZ Utils package, providing unauthenticated access to the system. This issue is being tracked by the National Vulnerability Database as CVE-2024-3094.
BreachBits has analyzed this threat and, at the time of publication, this threat cannot be detected by BreachRisk™ services.
Impact and Likelihood
According to the National Vulnerability Database, a successful attack has a high impact to all data and processes on the target computer, confidentiality, integrity, and availability. Hosts running a vulnerable version of the XZ Utils package could provide an attacker total unauthenticated access via the ssh service.
For a specific group of attackers, likelihood is high. Research currently shows that only the attackers responsible for the malicious code have the information needed to obtain access via the backdoored version of the package. However, as this issue develops over time it is possible the issue becomes more widespread.
Affected Applications
Linux has confirmed that Fedora Rawhide, Fedora Linux 40 beta , openSUSE Tumbleweed, openSUSE MicroOS, Kali Linux, and Arch Linux are all affected. Debian and Ubuntu announced that no release contains the vulnerable package. However, it is recommended all Linux users verify the XZ package version as it is a dependency for many other libraries included with the OS.
What we are doing
BreachBits has analyzed this threat and, at the time of publication of this article, this threat cannot be detected by BreachRisk™ services. Our team will continue to monitor this issue and will notify customers if the situation changes.
As details of attack methods continue to become available, we expect attackers of lower skill levels or from different groups may gain access to the special keys required to execute this attack.
What You Should Do
We do not expect to be able to assist your security team in detecting or testing for this issue, but you should continue your risk management process.
Consider taking the following actions, especially if you are not a BreachRisk™ customer.:
Identify if the threat is present on your systems.
Pinpoint where you are affected.
Consider how your business would be impacted if the affected element were to be shut down, breached, or taken over by an attacker.
Determine if this risk is significant enough to divert resources from other efforts, and make a decision to attempt a fix or not.
If you attempt to fix, follow up to verify the fix was applied. You may need to repeat this cycle as more information emerges.
Now that the vulnerability is public, be on the lookout for further guidance from software developers and security firms.
What Happens Next
Lower skilled attackers may develop ways to exploit this vulnerability.
We will continue to monitor this issue and update this web log if the situation changes.
Further Reading and What We're Reading
Update Log
02 Apr 2024: Published