Detecting and Fixing CVE-2024-3094

Uncover the CVE-2024-3094 vulnerability in XZ utilities, stumbled upon by researcher Andres Freund. Learn how this sneaky exploit, orchestrated by attacker Jia Tan, poses a threat to systems using versions 5.6.0 and 5.6.1, and discover quick mitigation tips to stay protected.
Detecting and Fixing CVE-2024-3094
Doron Naim
March 30, 2024
Share this post

Recently, on March 29, 2024, Andres Freund, a researcher not typically focused on security matters, stumbled upon a significant issue while logging in via SSH on his Debian machine. This issue led to the revelation of a critical vulnerability with CVSS score of 10.0, CVE-2024-3094, in versions 5.6.0 and 5.6.1 of XZ utilities. What's more concerning is that XZ utilities are also utilized by OpenSSH, magnifying the potential impact of this discovery.

How It Works

The method employed by the attacker, identified as Jia Tan (Github user - JiaT75), involves a cunning approach (here you can find his activity in the past 2 years on this project). Rather than directly modifying the source code, a malicious code was covertly committed to the XZ project's tests. During the software build process, this code is injected into the liblzma library responsible for compression operations. The injected code can be found here.

Andres describes his backdoor analysis

Understanding the Vulnerability

Initially mistaken for an authentication bypass, deeper investigation revealed CVE-2024-3094 to be a Remote Code Execution (RCE) vulnerability. This vulnerability triggers the download and execution of malicious payloads upon connection to the SSH server. Samples of known payloads circulating include:
- 4f0cf1d2a2d44b75079b3ea5ed28fe54
- d26cefd934b33b174a795760fc79e6b5
- d302c6cb2fa1c03c710fa5285651530f
- 53d82bb511b71a5d4794cf2d8a2072c1
- 212ffa0b24bb7d749532425a46764433

Impact

The ramifications of CVE-2024-3094 extend to operating systems that adopted the new version of XZ utilities. Affected systems include certain versions of Debian (excluding stable), RedHat (Fedora 41 +Rawhide), some OpenSUSE, and specific releases of Kali Linux, etc. Notably, Amazon Linux remains unscathed by this vulnerability.

Mitigation

To address CVE-2024-3094 and safeguard your systems:


1. Utilize scripts or YARA rules to scan for and detect the vulnerability.

2. Prevent the execution of known malicious payloads by verifying against their hashes.

3. Restrict access to affected instances from the public internet.

4. Consider upgrading the entire operating system or downgrading XZ utilities to versions predating 5.6.0.

Empower Your Vulnerability Response with DevOcean

Experience a new level of vulnerability management with DevOcean. Say goodbye to manual processes and hello to automated vulnerability response. Detect and address threats like CVE-2024-3094 effortlessly, driving faster remediation workflows and ensuring your systems stay secure. Take charge of your cybersecurity journey today with DevOcean.

References

For further information and support, refer to the following resources:

Efficiency ahead.

We take the manual work out of cloud remediation so you can accomplish more.