Full Report
Detect and mitigate CVE-2024-3094, a critical supply chain compromise, affecting XZ Utils Data compression library. Organizations should patch urgently.
Analysis Summary
# Vulnerability: XZ Utils Supply Chain Backdoor Leading to RCE via SSH
## CVE Details
- CVE ID: CVE-2024-3094
- CVSS Score: Information on the specific CVSS score (e.g., 9.8 Critical) is not explicitly provided, but the impact suggests a **High** severity.
- CWE: CWE-77 (Improper Neutralization of Special Elements used to Construct OS Commands - implied by RCE) / CWE-116 (Improper Encoding or Escaping of Output)
## Affected Systems
- Products: XZ Utils (`liblzma`) library as integrated into various Linux distributions' packages (specifically impacting OpenSSH when linked against the compromised library and configured for systemd notification).
- Versions: XZ Utils versions **5.6.0** and **5.6.1**.
- Debian: `5.5.1alpha-0.1` up to and including `5.6.1-1` (stable versions unaffected).
- Kali Linux: Installations updated between March 26th to March 29th with package version `5.6.0-0.2`.
- OpenSUSE: Versions `5.6.0`, `5.6.1` on Tumbleweed (prior to rollback).
- Alpine: `5.6.0`, `5.6.0-r0`, `5.6.0-r1`, `5.6.1`, `5.6.1-r0`, `5.6.1-r1`.
- Arch Linux: Installation media (2024.03.01), VM images, and container images created between 2024-02-24 and 2024-03-28.
- Configurations: The backdoor is specifically activated during the build process if the M4 macro is present, targeting builds destined for **x86-64 Linux** running as part of a **Debian** or **RPM package build**. The functional weakness relies on OpenSSH utilizing the compromised `liblzma` library, particularly in contexts related to `systemd` notification during SSH.
## Vulnerability Description
CVE-2024-3094 is a sophisticated supply-chain backdoor hidden within the XZ project's source packages starting with version 5.6.0. The compromise is initiated by a concealed M4 macro within the source distribution that triggers the execution of an obfuscated script during the `configure` stage of compilation.
This script checks if the build target is x86-64 Linux and is being packaged by Debian or RPM tools. If conditions are met, it injects malicious code that modifies the symbol resolution process for `liblzma`. Specifically, it redirects the `[email protected]` symbol to malicious code within the backdoor.
When OpenSSH uses Public Key Authentication, this hijacked function executes. The backdoor code attempts to extract a payload from the public key presented by the connecting client. If the payload passes internal verification and signature checks, it is executed via the `system()` function, resulting in **Remote Code Execution (RCE)** prior to successful authentication.
## Exploitation
- Status: **PoC available** (Analysis confirming RCE potential is available). The initial threat model suggested exploitation was intended via compromised SSH public key exchange.
- Complexity: **High** (Due to complex obfuscation and precondition checks required for the backdoor to be successfully built into the `liblzma` library).
- Attack Vector: **Network** (Exploited remotely over SSH).
## Impact
- Confidentiality: **High** (RCE allows full system compromise).
- Integrity: **High** (RCE allows arbitrary data modification or system destruction).
- Availability: **High** (RCE allows denial of service or complete system takeover).
## Remediation
### Patches
Vendors have released fixed versions, generally rolling back to a safe state or patching specifically:
- Debian: Fixed in version `5.6.1+really5.4.5-1`.
- Alpine: Fixed in versions `5.6.0-r2` or `5.6.1-r2`.
- Arch Linux: Fixed in version `5.6.1-2`.
- OpenSUSE: Snapshot `20240328` or later.
- Red Hat/Fedora: Advised to immediately stop using Fedora 41 and Rawhide until patched; RHEL is explicitly stated as *not* affected.
### Workarounds
- Downgrade the `xz` or `xz-utils` package to a known-safe, older version (e.g., 5.4.x series, if available for the distribution).
- Rebuild the affected packages from the clean XZ Git repository (which lacks the malicious M4 macro).
## Detection
- Indicators of compromise (IOCs) are challenging due to the stealthy nature, which includes log replacement functionality.
- **Detection Methods:**
- Inventory management: Identify all systems where `xz` versions 5.6.0 or 5.6.1 are installed.
- Behavioral Analysis: Look for unusual activity following SSH public key attempts, although the backdoor attempts to hide successful connections by replacing logs with failure messages.
- Static Analysis: Audit build environments for the presence of the malicious M4 macro during compilation of `xz-utils`.
## References
- CISA advisory: hxxps://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
- Debian advisory: hxxps://lists.debian.org/debian-security-announce/2024/msg00057.html
- RedHat advisory: hxxps://access.redhat.com/security/cve/CVE-2024-3094
- Arch Linux advisory: hxxps://archlinux.org/news/the-xz-package-has-been-backdoored/