The Dangerous XZ Vulnerability: 

What You Need to Know

A recent discovery has unveiled a significant threat within the Linux community: CVE-2024-3094, a covert malware implant embedded within the widely-used liblzma compression library. This threat poses a serious risk to systems relying on LZMA compression, particularly those employing the xz file format and related compression tools. 

What is the XZ Vulnerability?

The XZ vulnerability, CVE-2024-3094, manifests as a malicious code injection flaw found in XZ Utils versions 5.6.0 and 5.6.1. Specifically, attackers exploited the build process of the liblzma library, inserting obfuscated code into disguised test files fetched from the source code. This injection, concealed within the LZMA algorithm, was strategically positioned to compromise systems relying on XZ compression.

The Supply Chain Compromise

The attackers' strategy targeted the Debian supply chain, aiming to compromise a popular library utilized in Debian-style builds of OpenSSH. Debian's version of OpenSSH relies on a modified implementation to support notifications using systemd, resulting in dependencies on libraries such as libsystemd, which in turn depends on liblzma. By compromising liblzma, the attackers gained leverage over any software utilizing it, with a primary focus on OpenSSH servers.

Understanding Public Keys and Cryptographic Signatures

The malware implant, embedded within liblzma, specifically targets RSA-based authentication attempts. RSA, a widely-used asymmetric cryptographic algorithm, involves a public-private key pair. Attackers craft fake RSA public keys containing scrambled system commands, strategically embedded within authentication requests. These rogue keys, seemingly legitimate, carry disguised data and are intercepted by the malware for execution.

Remote Code Execution

The attackers' interest lies in intercepting the RSA_public_decrypt() function to supply system commands hidden within fake cryptographic signatures. Upon intercepting an RSA-based authentication attempt, the malware extracts the RSA public key and retrieves the cryptographic certificate. The value of 'N' in the rogue public keys contains scrambled system commands, which are then executed using the system() function. This technique grants the attackers unauthenticated root-level remote code execution, enabling them to infiltrate systems with devastating consequences.

Mitigating the Vulnerability

To mitigate the XZ vulnerability, immediate action is imperative. Downgrading to the previous version of XZ Utils (5.4.6 or below) is critical, as it includes patches addressing the vulnerability, at the moment. 

Affected Systems

Key Vulnerability System Conditions

Is my organization affected?

Do not check the version xz by running xz such as "xz -version or xz -V".  

Thankfully, I created a script , which you can find here, to help you check on the version you are running and downgrade xz if needed.