What's new

CVE-2024-3094 - XZ Utils Backdoor - addtional info

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sfx2000

Part of the Furniture
This had some traction over in AsusWRT-Addon's thread... I would post there, but the thread was closed.


A couple of good write ups and analysis for this CVE are below


and..


The boehs.org post has a lot of good back story, esp on how someone was able to gain trust thru a number of means, well before inserting the backdoor.

The second post is far more technical, but also shows the dependencies - e.g. has to be a systemd enabled build, with glibc, and x86-64, along with OpenSSH (sshd)

Where my interest was - OpenWRT, looks like formal releases were not impacted, but SNAPSHOT buillds off MASTER did include the impacted version of xz-utils, this was rolled back on Friday for MASTER...

Code:
commit d4b6b76443207103d3a7c0eae5c0085317fb584f
Author: Petr Štetiar <ynezz@true.cz>
Date:   Fri Mar 29 16:59:01 2024 +0000

    Revert "tools/xz: update to 5.6.1" (CVE-2024-3094)

    This reverts commit 714c91d1a63f29650abaa9cf69ffa47cf2c70297 as probably
    the upstream xz repository and the xz tarballs have been backdoored.

    References: https://www.openwall.com/lists/oss-security/2024/03/29/4.
    Signed-off-by: Petr Štetiar <ynezz@true.cz>

AsusWRT isn't impacted, and I believe that Entware is safe as well - here's OpenWRT's official response to the CVE

 
Last edited:
What I haven't been able to figure out is if there is a patch available. Since the project was disabled (in GitHub), how can a patch be rolled out?
 
Isn't that all you need to know?

Seems like it's answered to me.
 
What I haven't been able to figure out is if there is a patch available. Since the project was disabled (in GitHub), how can a patch be rolled out?

It's a roll-back to the last known good release.
 

[Arch Linux, Debian, Kali Linux, Opensuse, Fedora]

Script for Testing:
 
Canonical has pushed the most beta release for 24.04 out a week to basically rebuild the entire release...

24.04 is an LTS release, and it's still scheduled for production release on April 25, 2024 - but if we have to go thru another beta run this late into the release cycle, it could push things out.

Ubuntu is also upstream for a lot of other releases as well...

Something like this is a release manager's nightmare and can be a headache for folks that do the CI/CD pipelines for things using Docker and VM's (since ubuntu server images need QA time before release into production)
 
Canonical has pushed the most beta release for 24.04 out a week to basically rebuild the entire release...

24.04 is an LTS release, and it's still scheduled for production release on April 25, 2024 - but if we have to go thru another beta run this late into the release cycle, it could push things out.

Ubuntu is also upstream for a lot of other releases as well...

Something like this is a release manager's nightmare and can be a headache for folks that do the CI/CD pipelines for things using Docker and VM's (since ubuntu server images need QA time before release into production)
THANKS FOR THE DAILY DOSE OF GOOD NEWS
 
THANKS FOR THE DAILY DOSE OF GOOD NEWS

Wish I had better news...

As this whole thing unravels, there's a lot of packages that static link over to the xz-utils package across many distributions...

Good news - not everyone linked to the impacted versions, and what I'm seeing now in embedded land, is a migration away from xz-utils in general for alternatives...
 
Similar threads
Thread starter Title Forum Replies Date
XIII CVE-2024-31497: PuTTY vulnerability vuln-p521-bias General Network Security 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top