CVE-2024-3094 Analysis: Multi-layer Supply Chain Attack Using XZ Utils Backdoor Impacts Major Linux Distributions

Cybersecurity experts remain vigilant amidst an ongoing supply chain attack that has cast a shadow over the most widely-used Linux distributions. With its scale and sophistication reminiscent of infamous incidents like Log4j and SolarWinds, this new threat emanates from a backdoored XZ Utils (formerly LZMA Utils)—an essential data compression utility found in virtually all major Linux distros. To drive attention to this groundbreaking threat, the sneaky backdoor has been assigned a vulnerability identifier of CVE-2024-3094 with a severity rating of 10.0.

XZ Utils Backdoor: Linux Supply Chain Attack

A critical software supply chain compromise involves two widely used XZ Utils data compression library versions, which have been covertly backdoored. The backdoor enables remote adversaries to bypass secure shell (sshd) authentication, granting them complete access to affected systems. This meticulously executed, multiyear attack suggests that an individual with maintainer-level access deliberately introduced the backdoor.

Andres Freund, a Microsoft software engineer who detected the suspicious misconfiguration in late March, asserts that malicious strings were injected into the tarball download pack within XZ Utils version 5.6.0 issued in February 2024. Shortly thereafter, in version 5.6.1, threat actors updated the malicious code to enhance it with extra obfuscation and fix some errors in the configuration. 

Freund states that the malicious code has been stealthily integrated through a sequence of source code commits into the Tukaani Project on GitHub by an individual identified as Jia Tan (JiaT75) early this year. The XZ Utils repository of the Tukaani Project on GitHub has already been disabled due to violations.

As of now, the affected XZ Util versions have exclusively appeared in unstable and beta editions of Fedora, Debian, Kali, openSUSE, and Arch Linux distributions. Debian and Ubuntu have confirmed that none of their stable releases contain the compromised packages, ensuring user security. Additionally, Amazon Linux, Alpine Linux, Gentoo Linux, and Linux Mint claimed to be unaffected by the backdoor incident.

XZ Utils serves as a critical component not only within numerous Linux distributions but also as a fundamental dependency for various libraries. The implications of this supply chain attack ripple widely across the software ecosystem. Yet, since backdoor haven’t make a way to any stable Linux distro, the possible consequences are considerably limited.

CVE-2024-3094 Mitigation: Reducing Risks Linked to XZ Utils Backdoor

Each advisory (mentioned above) provided by maintainers of major Linux distributions contains guidance for users to swiftly detect the presence of the compromised XZ Util versions in their codebases. Red Hat has taken proactive measures by releasing an update that rolls back XZ to previous versions, with plans to distribute it through its standard update channels. However, users worried about potential attacks have the option to expedite the update process. 

CISA has added its voice to the call for organizations utilizing impacted Linux distributions to revert their XZ Utils to a prior version. They emphasize the importance of diligently searching for any signs of suspicious activity linked to the backdoor and promptly sharing their findings with the cybersecurity community.

Summarizing the above, mitigation routine should include the following basics:

• Downgrading (or upgrading) XZ Util packages to a secure version based on the relevant advisory;
• Blocking external SSH access;
• Network segmentation.

Additionally, to assist cyber defenders in spotting possible malicious activity linked to XZ backdoor execution the SOC Prime Team along with Arnim Rupp, Nasreddine Bencherchali, and Thomas Patzke provided related Sigma rules available in the SOC Prime Platform.

Suspicious Execution of SH Interpreter via SSH Connection in Modern Linux Distros (via cmdline)

Potential Exploitation of CVE-2024-3094 – Suspicious SSH Child Process

Both rules help detect potentially suspicious child process of SSH process (sshd) with a specific execution user which might be possibly linked to CVE-2024-3094. The rules are compatible with 28 SIEM, EDR, XDR, and Data Lake technologies and enriched with extensive threat intelligence.

SOC Prime’s Platform for collective cyber defense offers the world’s largest collection of behavior-based detection algorithms to detect attackers’ TTPs, backed by innovative threat hunting and detection engineering solutions created to streamline SOC operations. Stay ahead of attackers and proactively detect notorious threats relying on SOC Prime. Explore more at https://socprime.com/.