A critical backdoor was recently discovered in the XZ Utils library. The vulnerability was introduced by a once-trusted pseudonymous contributor to XZ version 5.6.0, which remained present in 5.6.1. The vulnerability weakens the authentication of SSH sessions vis SSHD. This is being tracked as CVE-2024-3094. (CVS Severity Score: 10 out of 10) Thankfully, these two most recent versions are not thought to be widely distributed outside of bleeding-edge Linux builds, often used in testing stability.
The XZ Utils library is common. In this library is a collection of tools for the xz compression format. The xz format utilizes the LZMA2 compression algorithm, the successor to the older LZMA format. The XZ Utils package contains several command-line tools, namely the “xz” itself, which can be used for compressing and decompressing files. Through a series of complex obfuscations, the liblzma process extracts a prebuilt object file from a disguised test file existing in the source code of XZ versions 5.6.0 and 5.6.1. This object file is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against it, allowing the interception and modification of all data the interacts with it.
Firmware security firm Binarly has released a free online scanner to detect Linux executables impacted by the XZ Utils supply chain attack. This scanner is available at xz.fail, as well as a public API that can be leveraged for bulk scans. **Note** FRSecure has not validated this tool through testing, please be careful with any tools that you are not familiar with, and only utilize tools that you can verify as safe.
For more information on CVE-2024-3094, please visit nvd.nist.gov/vuln/detail/CVE-2024-3094
