Profero logo
Company
Resources
BlogGithub
CareersTrust Portal
Under Attack?Get Started
Blog
compliance

The 10.0 Rated CVE in xz-utils Jeopardizing SSH Security

By
Profero IRT
April 3, 2024
Share this post

https://profero.io/blog/the-10-0-rated-cve-in-xz-utils-jeopardizing-ssh-security

On March 29th, 2024, our security team was alerted to a newly identified CVE, assigned a critical severity rating of 10.0. This vulnerability was found in xz-utils, a crucial component deeply embedded within Linux Distributions. Given the extensive use of Linux systems within organizations, the potential scale and impact of this vulnerability could rival, if not surpass, that of Log4J.

Amplifying the seriousness of the situation was the unsettling discovery that this vulnerability was intentionally embedded into the codebase as a backdoor by a developer responsible for maintaining this open-source project.

What is CVE-2024-3094?

This vulnerability lies within the xz-utils library, which, on systems running systemd and OpenSSH-Server, could potentially create a backdoor. This means that the exploit allows adversaries to remotely execute code on servers where this library is installed. This vulnerability was unearthed by a Microsoft engineer named Andres Freund. Without his discovery, there's a high probability that this vulnerability could have remained undetected for many more years, or perhaps indefinitely. The versions of the library that are vulnerable are 5.6.0 and 5.6.1.

Identifying Vulnerable Hosts

Upon receiving the CVE details, the Profero Incidence Response Team (IRT) immediately began investigating methods to detect this exploit, aiming to help organizations determine their level of exposure. After testing various Linux distributions and different ways the xz-utils library could be stored on Linux systems, the Profero IRT team developed a method to confirm the exploit. The script provided below allows anyone to verify whether their Linux system is vulnerable.

Execute the following command on all Linux systems within your organization:


dpkg --list | grep xz-utils

If the returned version is 5.6.0 or 5.6.1, your system is affected, and you should follow the recommendations provided by your Linux distributor. This script was deployed to all Profero clients via our Rapid-IR investigator, with all results directly fed into Profero's proprietary Rapid-IR Portal, enabling clients to easily identify impacted machines.

‍

Affected Linux Distributions

Even if your Linux version is not listed below, Profero still recommends running the provided script to identify vulnerable hosts and checking your distributor's website for your specific Linux version.

Distribution Notes
Fedora Rawhide RedHat recommends stopping usage of any Fedora Rawhide instances
Fedora Linux 41 Fedora Linux 41 users should revert XZ back to XZ version 5.4
Kali Linux Versions of Kali Linux are only affected if your organization updated between March 26 and March 28, 2024
openSUSE Tumbleweed and MicroOS Affected if your organization updated between March 7 and March 28, 2024
Debian testing, unstable, experimental Affected versions 5.5.1alpha-0.1 to 5.6.1-1

Is the Open-Source Software Model Flawed?

This marks the second time in recent years that we've seen a critical CVE with widespread impact originating from Open-Source Software (OSS). This raises questions about potential undiscovered CVEs in other widely used OSS projects. Profero's co-founder, Guy Barnhart-Magen, wrote an insightful blog on this topic, discussing what companies can do to help and the challenges inherent in the OSS model itself. Read more here.

Conclusion/Final Thoughts

The potential impact of this vulnerability could have been one of the most significant ever, given that it was intentionally embedded and concealed in code used by most Linux distributions. Profero recommends that everyone check their Linux distributor's websites for any additional recommendations or stable builds, and then downgrade or upgrade to that build accordingly.

‍

‍

Share this post
Profero IRT
Profero Incident Response Team - From the trenches insights from IRT

Related posts

Read related insights

View all

AtomicStealer Spreading via Fake Apple Support Websites

Uncovering AtomicStealer campaign using a fake Apple Support website designed to trick users into running a malicious bash command, infecting their machine.

Read Now

The $5 Million Letter: When Physical Mail Becomes Digital Extortion

How sophisticated criminals are using old-school tactics and psychological warfare to extort businesses without ever touching their systems

Read Now

New Attack Vector - AI - Induced Destruction

The New Attack Vector No One Saw Coming, how "helpful" AI assistants are accidentally destroying production systems - and what we're doing about it.

Read Now
View all
Profero logo
Subscribe
By subscribing you agree to with our Privacy Policy and provide consent to receive updates from our company.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Solution
Get StartedUnder Attack?
About
CompanyCareers
Resources
BlogGithubTrust Portal
Contact
X/Twitter
LinkedIn
© 2024 Profero. All rights reserved.
Privacy PolicyTerms of Service
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
ManageDenyAccept
Privacy Preferences
Essential cookies
Required
Marketing cookies
Personalization cookies
Analytics cookies
Reject all cookiesAllow all cookiesSave preferences