New reports of the XZ Utils supply chain attack, which resulted in the insertion of a backdoor in the XZ Utils library, impacting various Linux Unix distributions are highlighting the growing importance of supply chain security.
The attack was discovered by a software engineer from Microsoft who noticed a delay in the login process and subsequently investigated the incident. The backdoor was found to be inserted by a malicious actor named "tukaani-project" who contributed to the open-source XZ repository on GitHub. The actor added a backdoor code in the tarballs release, compromising the security of systems using the affected versions of XZ Utils.
The backdoor allowed unauthorized access to SSH, bypassing authentication and enabling attackers to execute arbitrary system commands, ultimately giving attackers the same level of control over affected systems as legitimate, authorized administrators. The impact of this attack is significant, as XZ Utils is widely used in Linux, Unix, and other POSIX compatible systems.
Attack Details
The attack on XZ Utils involved the insertion of a backdoor in the XZ repository on GitHub. The malicious actor, operating under the username "tukaani-project," gained trust within the open-source community and took over the maintenance authority of the project. In February 2024, the actor submitted malicious files to the liblzma/xz, introducing a hidden backdoor that allowed unauthorized access to SSH.
Since its discovery, the NVD has labelled the vulnerability as CVE-2024-3094. The CVE has been given the highest possible score of 10.0 by Cybersixgill’s Vulnerability Exploit Intelligence and the NVD due to its severity. The vulnerability affects the xz compression library, specifically in the upstream tarballs starting from version 5.6.0. This vulnerability allows an attacker to inject malicious code into the source code, which can then be used to modify certain functions within the liblzma code. As a result, any software that is linked against this modified library can be compromised, enabling the attacker to intercept and manipulate data interactions.
The impact of CVE-2024-3094 is significant, as it has been associated with various advanced persistent threats (APTs) such as NARWHAL SPIDER, APT41, NSO Group, Killnet, and COSMIC WOLF. These threat actors have been known to exploit this vulnerability for their malicious activities. The vulnerability has gained attention in the cybersecurity community and is currently trending in the Russian Underground as well as on GitHub. A proof-of-concept exploit for CVE-2024-3094 is available, further highlighting the urgency of addressing this issue.
Detection and Mitigation
To determine if a system is affected by the XZ backdoor, users can check the version of XZ Utils in use. Running the command "xz –version" will provide information on the installed version. If the version is within the affected range, immediate action should be taken to mitigate the risk.
Users can also utilize scripts published on Openwall to check for the presence of the backdoor in the system. These scripts analyze the binary data of the liblzma library file that the SSHD program depends on, searching for backdoor signatures.
Mitigation measures include downgrading XZ Utils to unaffected versions (XZ Utils < 5.6.0 or XZ Utils >= 5.8.0). It is also recommended to implement robust supply chain security practices, including thorough code review, monitoring for suspicious activity, and maintaining an updated inventory of software components and their dependencies.
About XZ Utils
XZ Utils is a collection of free software utilities that manage files compressed in the XZ format, a high compression ratio format based on the LZMA2 algorithm. The suite includes several command line tools such as "xz" for compression and decompression, and "xzdec" for decompression. XZ Utils is noted for producing smaller archives than other common compression formats like gzip or bzip2, making it particularly useful for software distribution and data archiving where space efficiency is crucial. Developed under the GNU General Public License, XZ Utils is widely used in various Unix-like operating systems, including Linux distributions.