Tools Resources

Understanding the New CVE-2024-3094: What You Need to Know

By: Panoptica Security Research Team

Apr 9, 2024
CVE-2024-3094, also known as the XZ vulnerability, was announced on March 29, 2024. The vulnerability was assigned the highest severity level, with a CVSS score of 10, indicating a critical risk and possibly allowing, under some conditions, unauthorized access to the entire system via SSH authentication on various linux distributions. The vulnerability originated from a supply chain compromise and impacts the most recent versions (v5.6.0 and v5.6.1) of the XZ Utils package and associated libraries.

Introduction

CVE-2024-3094, also known as the XZ vulnerability, was announced on March 29, 2024. The vulnerability was assigned the highest severity level, with a CVSS score of 10, indicating a critical risk and possibly allowing, under some conditions, unauthorized access to the entire system via SSH authentication on various linux distributions. The vulnerability originated from a supply chain compromise and impacts the most recent versions (v5.6.0 and v5.6.1) of the XZ Utils package and associated libraries. 

Overview of the Vulnerability 

  • CVE-ID: CVE-2024-3094 
  • Date of Discovery: 03/29/2024 
  • Discovered by: Andres Freund 
  • Affected Software: XZ utils v5.6.0 and v5.6.1 
  • Severity Rating: 10.0 

Technical Details

CVE-2024-3094 was discovered by Andres Freund, a Microsoft software engineer, who observed an anomaly while debugging SSH connection performance issues. He found that a backdoor had been inserted into the xz GitHub repository code by a legitimate contributor, which could lead to remote code execution on target machine running the sshd service, in what is known as a supply chain attack. 

The malicious code has been obfuscated and is designed to operate under specific conditions to maintain stealth and evade detection. These conditions include: 

  • The TERM, LD_DEBUG, and LD_PROFILE environment variables must not be set. 
  • The LANG environment variable needs to be set. 
  • No debugging tools should be running on the target machine. 
  • The OS of the target machine must be based on the x86-64 Linux architecture. 
  • When invoked on the target machine, /usr/sbin/sshd must pass as the first element (argv[0]). 

Affected Systems 

Linux Distribution Affected Version Mitigation
Red Hat Fedora Rawhide and Fedora 40 beta Downgrade xz version 
Kali Linux Affects Kali installations updated between March 26th to March 29th. Update to the latest OS version 
openSUSE TumbleweedAffects openSUSE installations between March 7th to March 28th. Downgrade xz version 
openSUSE MicroOS Affects openSUSE installations between March 7th to March 28th. Downgrade xz version 
Non-production Debian-based distributions 5.5.1alpha-0.1 - 5.6.1-1 Update OS version 
AlpineN/AUpgrade xz version to 5.6.1-r2 
GentooN/ADowngrade xz version 
Wolfi OSAffects Wolfi OS installations updates between February 24th to March 29th.Update to the latest OS version

General Mitigation and Remediation Strategies 

  • Locate all vulnerable assets in your environment including compute and images. 
  • Panoptica CNAPP allows customers to query for such vulnerable assets across all connected environments. 
  • Fix each vulnerable asset by upgrading or downgrading to a non-vulnerable version (listed in the table above). 
  • Prioritize patching of external facing machines that runs SSH service. 

References 

Panoptica blog

Becca Gomby

Thursday, Oct 24th, 2024

Becca Gomby

Friday, Oct 18th, 2024

Becca Gomby

Friday, Oct 4th, 2024

Becca Gomby

Friday, Sep 27th, 2024

Popup Image