Latest CVE-2024-3094 (XZ Utils backdoor) coverage
Andres Freund discovered a malicious backdoor in a recent revision of the XZ Utils package. This backdoor was introduced by a threat actor who spent years building trust in the open source community before taking over maintenance of the XZ Utils project. After gaining access as a maintainer, the threat actor introduced the malicious code in multiple obfuscated steps. This backdoor could allow the threat actor to run arbitrary commands without authentication through the OpenSSH daemon.
CVE-2024-3094 is rated critical with CVSS score of 10.0.
An overview of this issue can be found at ArsTechnica.
Russ Cox published a detailed timeline.
What is the impact?
Successful exploitation of this backdoor would allow the actor responsible to run arbitrary system commands without authentication.
Anthony Weems built a fantastic proof-of-concept and demo kit for reproducing the backdoor.
Are updates or workarounds available?
This backdoor was enabled when a build was run on an x86_64 (amd64) system that was building a Debian “DEB” or Red Hat “RPM” package. The issue was caught prior to widespread release and the list of affected distributions is small as a result.
The following distributions shipped a combination of packages that resulted in a backdoored SSH daemon:
- Red Hat Fedora Linux (Rawhide)
- Debian Linux (unstable and testing builds)
- Kali Linux (rolling release)
- OpenSUSE Linux (Tumbleweed & MicroOS)
Additional information about this issue can be found across the web and in various distribution-specific trackers:
How to find potentially affected systems with runZero
The runZero team is investigating whether a direct check against SSH is possible.
In the meantime, we suggest using this runZero Service Inventory query:
_asset.protocol:ssh protocol:ssh (banner:="SSH-2.0-OpenSSH_9.6" OR banner:="SSH-2.0-OpenSSH_9.6p1%Debian%" OR banner:="SSH-2.0-OpenSSH_9.7p1%Debian%")
This query is based on the following logic:
1. Identify any instances of Fedora Rawhide or OpenSUSE Tumbleweed & MicroOS in your environment. The easiest way to find potentially affected installations is to look for OpenSSH servers running version 9.6, which is a recent release specific to those rolling distributions.
2. Identify any instances of Debian or Kali rolling builds. The easiest way to do this is by looking for recently-released (9.6 & 9.7) Debian-flavored OpenSSH services, as these packages were shipped in the Debian unstable and Kali Linux rolling releases.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.