Detecting and Fixing CVE-2024-3094

Uncover the CVE-2024-3094 vulnerability in XZ utilities, stumbled upon by researcher Andres Freund. Learn how this sneaky exploit, orchestrated by attacker Jia Tan, poses a threat to systems using versions 5.6.0 and 5.6.1, and discover quick mitigation tips to stay protected.
Detecting and Fixing CVE-2024-3094
Doron Naim
March 30, 2024
Share this post

Recently, on March 29, 2024, Andres Freund, a researcher not typically focused on security matters, stumbled upon a significant issue while logging in via SSH on his Debian machine. This issue led to the revelation of a critical vulnerability with CVSS score of 10.0, CVE-2024-3094, in versions 5.6.0 and 5.6.1 of XZ utilities. What's more concerning is that XZ utilities are also utilized by OpenSSH, magnifying the potential impact of this discovery.

How It Works

The method employed by the attacker, identified as Jia Tan (Github user - JiaT75), involves a cunning approach (here you can find his activity in the past 2 years on this project). Rather than directly modifying the source code, a malicious code was covertly committed to the XZ project's tests. During the software build process, this code is injected into the liblzma library responsible for compression operations. The injected code can be found here.

Andres describes his backdoor analysis

Understanding the Vulnerability

Initially mistaken for an authentication bypass, deeper investigation revealed CVE-2024-3094 to be a Remote Code Execution (RCE) vulnerability. This vulnerability triggers the download and execution of malicious payloads upon connection to the SSH server. Samples of known payloads circulating include:
- 4f0cf1d2a2d44b75079b3ea5ed28fe54
- d26cefd934b33b174a795760fc79e6b5
- d302c6cb2fa1c03c710fa5285651530f
- 53d82bb511b71a5d4794cf2d8a2072c1
- 212ffa0b24bb7d749532425a46764433

Impact

The ramifications of CVE-2024-3094 extend to operating systems that adopted the new version of XZ utilities. Affected systems include certain versions of Debian (excluding stable), RedHat (Fedora 41 +Rawhide), some OpenSUSE, and specific releases of Kali Linux, etc. Notably, Amazon Linux remains unscathed by this vulnerability.

Mitigation

To address CVE-2024-3094 and safeguard your systems:


1. Utilize scripts or YARA rules to scan for and detect the vulnerability.

2. Prevent the execution of known malicious payloads by verifying against their hashes.

3. Restrict access to affected instances from the public internet.

4. Consider upgrading the entire operating system or downgrading XZ utilities to versions predating 5.6.0.

Empower Your Vulnerability Response with DevOcean

Experience a new level of vulnerability management with DevOcean. Say goodbye to manual processes and hello to automated vulnerability response. Detect and address threats like CVE-2024-3094 effortlessly, driving faster remediation workflows and ensuring your systems stay secure. Take charge of your cybersecurity journey today with DevOcean.

References

For further information and support, refer to the following resources:

Related articles

New Partnership: DevOcean + Snyk

Aviad Kutchuk DevOcean
Aviad Kutchuk
March 18, 2024
DevOcean and Snyk: A Powerful Partnership for Streamlined Remediation
DevOcean now available on AWS Marketplace

DevOcean Now Available on AWS Marketplace

Gil Makmel
March 11, 2024
DevOcean is now listed on the AWS Marketplace, making it easy for AWS customers to quickly procure and deploy DevOcean.
DevOcean changed the cloud remediation game.

DevOcean: The Cool Vendor That Revolutionized Remediation

Doron Naim
Doron Naim
January 31, 2024
In 2023 DevOcean emerged as a revolutionary force, reshaping the very essence of remediation in the cloud-first era.
See All Articles

Fast forward remediation.

Cut remediation cycles from weeks to days.

Get a DemoTry for Free