Menu
What's new
By:
Filters Better Search

CVE-2024-3094 - XZ Utils Backdoor - addtional info

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sfx2000

sfx2000

Part of the Furniture
This had some traction over in AsusWRT-Addon's thread... I would post there, but the thread was closed.

www.snbforums.com

Entware - Backdoor in linux XZ utils on Linux distros.

https://www.phoronix.com/news/XZ-CVE-2024-3094 Whomp whomp 😑 *Doesn't appear to be incorporated into Asuswrt-Merlin. 5.4.6-1 xz is a entware however “Some malicious code was added to XZ 5.6.0/5.6.1 that could allow unauthorized remote system access.” Earlier versions should be safe however xz...
www.snbforums.com www.snbforums.com

A couple of good write ups and analysis for this CVE are below

Everything I know about the XZ backdoor

Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries
boehs.org

and..


The boehs.org post has a lot of good back story, esp on how someone was able to gain trust thru a number of means, well before inserting the backdoor.

The second post is far more technical, but also shows the dependencies - e.g. has to be a systemd enabled build, with glibc, and x86-64, along with OpenSSH (sshd)

Where my interest was - OpenWRT, looks like formal releases were not impacted, but SNAPSHOT buillds off MASTER did include the impacted version of xz-utils, this was rolled back on Friday for MASTER...

Code: 
commit d4b6b76443207103d3a7c0eae5c0085317fb584f
Author: Petr Štetiar <ynezz@true.cz>
Date:   Fri Mar 29 16:59:01 2024 +0000

    Revert "tools/xz: update to 5.6.1" (CVE-2024-3094)

    This reverts commit 714c91d1a63f29650abaa9cf69ffa47cf2c70297 as probably
    the upstream xz repository and the xz tarballs have been backdoored.

    References: https://www.openwall.com/lists/oss-security/2024/03/29/4.
    Signed-off-by: Petr Štetiar <ynezz@true.cz>

AsusWRT isn't impacted, and I believe that Entware is safe as well - here's OpenWRT's official response to the CVE

forum.openwrt.org

Project statement about xz 5.6.1 (CVE-2024-3094)

Hi, tl;dr OpenWrt seems to be not affected by the CVE-2024-3094 As you may be aware, malicious code was identified in the xz upstream tarballs starting from version 5.6.0. The development snapshots of OpenWrt were utilizing this compromised library version. Fortunately, the snapshots builds...
forum.openwrt.org forum.openwrt.org
 
Last edited:
What I haven't been able to figure out is if there is a patch available. Since the project was disabled (in GitHub), how can a patch be rolled out?
 
Isn't that all you need to know?

Seems like it's answered to me.
 
Justinh said:
What I haven't been able to figure out is if there is a patch available. Since the project was disabled (in GitHub), how can a patch be rolled out?
Click to expand...

It's a roll-back to the last known good release.
 
techcommunity.microsoft.com

Microsoft FAQ and guidance for XZ Utils backdoor

Latest information about XZ Utils vulnerability and guidance on how to assess your potential exposure.
techcommunity.microsoft.com
github.com

GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot
github.com github.com

[Arch Linux, Debian, Kali Linux, Opensuse, Fedora]

Script for Testing:
github.com

scripts/xz_cve-2024-3094-detect.sh at main · cyclone-github/scripts

Scripts by cyclone to automate tasks. Contribute to cyclone-github/scripts development by creating an account on GitHub.
github.com github.com
 
Canonical has pushed the most beta release for 24.04 out a week to basically rebuild the entire release...

24.04 is an LTS release, and it's still scheduled for production release on April 25, 2024 - but if we have to go thru another beta run this late into the release cycle, it could push things out.

Ubuntu is also upstream for a lot of other releases as well...

Something like this is a release manager's nightmare and can be a headache for folks that do the CI/CD pipelines for things using Docker and VM's (since ubuntu server images need QA time before release into production)
 
sfx2000 said:
Canonical has pushed the most beta release for 24.04 out a week to basically rebuild the entire release...

24.04 is an LTS release, and it's still scheduled for production release on April 25, 2024 - but if we have to go thru another beta run this late into the release cycle, it could push things out.

Ubuntu is also upstream for a lot of other releases as well...

Something like this is a release manager's nightmare and can be a headache for folks that do the CI/CD pipelines for things using Docker and VM's (since ubuntu server images need QA time before release into production)
Click to expand...
THANKS FOR THE DAILY DOSE OF GOOD NEWS
 
jerry6 said:
THANKS FOR THE DAILY DOSE OF GOOD NEWS
Click to expand...

Wish I had better news...

As this whole thing unravels, there's a lot of packages that static link over to the xz-utils package across many distributions...

Good news - not everyone linked to the impacted versions, and what I'm seeing now in embedded land, is a migration away from xz-utils in general for alternatives...
 
As folks roll into this - this style of supply chain attacks is going to be a problem moving forward...

linuxsecurity.com

xz-style Attacks Continue to Target Open-Source Maintainers | LinuxSecurity.com

What Targeted Threats Have Been Identified Targeting Open-Source Maintainers? The emails were sent f
linuxsecurity.com linuxsecurity.com

One of the issues with xz-utils is that the backdoor wasn't in the repo itself - it was in the tarball download, so if one unpacked the tarball, you could be backdoored - it was very clever how that was done.

Supply chain has always been a concern - whether it's Python PIP, PHP-Pear, Perl, etc - and then the binary things like entware where it's precompiled - much less APT/YUM etc...

I'm sure that there is a lot of navelgazing going on right now - source code is one thing - the "thousand eyes" approach I presume....

But in the words of Saul Goodman (better call saul - great series) - someone having bad intent - they don't need to get everyone to agree on a commit, just one...

and that is the problem... once the code is there, everyone assumes it's good to go...

Dropbear, Busybox, and dnsmasq - those are the golden keys... let's hope that the maintainers do the right thing.
 
I am counting on Pfsense to keep me safe. They have a lot of resources right now. Hopefully their testing will find issues if they exist. It has a large user base. If there is a problem in the code testing will present the issues.
 
coxhaus said:
I am counting on Pfsense to keep me safe. They have a lot of resources right now. Hopefully their testing will find issues if they exist. It has a large user base. If there is a problem in the code testing will present the issues.
Click to expand...

Hopefully they've sorted the CE vs PfSense Plus BS...
 
Yes, there is not a perfect solution out there. But overall, it is the best bet right now. It may change in the future.
 
You must log in or register to reply here.

Similar threads

D
  • Locked
Entware Backdoor in linux XZ utils on Linux distros.
Replies
4
Views
684
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
D News Universal local privilege escalation linux cve-2024-1086 General Network Security 0
XIII CVE-2024-31497: PuTTY vulnerability vuln-p521-bias General Network Security 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 598 (members: 11, guests: 587)
Top