www.belgium.be Logo of the federal government

Warning: CVE-2024-3094, A Backdoor In The Linux XZ Library Versions 5.6.0 & 5.6.1, Can Lead To SSH Authentication Bypass, Patch Immediately!

Reference: 
Advisory #2024-46
Version: 
1.0
Affected software: 
XZ Utils Data Compression Library versions 5.6.0 and 5.6.1
Type: 
Backdoor via malicious code, SSH authentication bypass
CVE/CVSS: 

CVE-2024-3094:CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Datum: 
02/04/2024

Sources

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Risks

CVE-2024-3094 is a backdoor in XZ Utils versions 5.6.0 and 5.6.1 which can lead to sshd authentication bypass. This can provide an attacker full access to affected systems and therefore has a high impact on confidentiality, integrity and availability.

Furthermore, a proof-of-concept has been published and the vulnerability is being actively exploited by malicious actors.

Description

Malicious code has been discovered in the upstream tarballs of XZ Utils, specifically versions 5.6.0 and 5.6.1. The following Linux distributions are affected:

  • Kali Linux: vulnerable versions between March 26th and 29th
  • openSUSE Tumbleweed and openSUSE MicroOS: vulnerable versions between March 7th and 28th
  • Debian testing, unstable, and experimental versions: version 5.5.1alpha-0.1 to 5.6.1-1
  • Fedora 41, but also Fedora 40 users are recommended to downgrade XZ Utils as a precaution
  • Fedora Rawhide: development version
  • Archlinux: xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1)

Recommended Actions

The Centre for Cybersecurity Belgium strongly recommends to upgrade XZ Utils to >5.6.1 or downgrade to a stable unaffected version <5.6.0 if not available.

Redhat advises to stop the usage of any Fedora Rawhide instances: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users.

SUSE has published a downgrade guide for openSUSE distribution users: https://build.opensuse.org/request/show/1163302

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://access.redhat.com/security/cve/CVE-2024-3094?extIdCarryOver=true&sc_cid=701f2000001OH6fAAG

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

https://build.opensuse.org/request/show/1163302