CVE-2024-3094 - XZ Utils Backdoor - addtional info

[sfx2000]

This had some traction over in AsusWRT-Addon's thread... I would post there, but the thread was closed.

Entware - Backdoor in linux XZ utils on Linux distros.

https://www.phoronix.com/news/XZ-CVE-2024-3094 Whomp whomp 😑 *Doesn't appear to be incorporated into Asuswrt-Merlin. 5.4.6-1 xz is a entware however “Some malicious code was added to XZ 5.6.0/5.6.1 that could allow unauthorized remote system access.” Earlier versions should be safe however xz...

www.snbforums.com

A couple of good write ups and analysis for this CVE are below

Everything I know about the XZ backdoor

Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries

boehs.org

and..

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

The boehs.org post has a lot of good back story, esp on how someone was able to gain trust thru a number of means, well before inserting the backdoor.

The second post is far more technical, but also shows the dependencies - e.g. has to be a systemd enabled build, with glibc, and x86-64, along with OpenSSH (sshd)

Where my interest was - OpenWRT, looks like formal releases were not impacted, but SNAPSHOT buillds off MASTER did include the impacted version of xz-utils, this was rolled back on Friday for MASTER...

commit d4b6b76443207103d3a7c0eae5c0085317fb584f
Author: Petr Štetiar <ynezz@true.cz>
Date:   Fri Mar 29 16:59:01 2024 +0000

    Revert "tools/xz: update to 5.6.1" (CVE-2024-3094)

    This reverts commit 714c91d1a63f29650abaa9cf69ffa47cf2c70297 as probably
    the upstream xz repository and the xz tarballs have been backdoored.

    References: https://www.openwall.com/lists/oss-security/2024/03/29/4.
    Signed-off-by: Petr Štetiar <ynezz@true.cz>

AsusWRT isn't impacted, and I believe that Entware is safe as well - here's OpenWRT's official response to the CVE

Project statement about xz 5.6.1 (CVE-2024-3094)

Hi, tl;dr OpenWrt seems to be not affected by the CVE-2024-3094 As you may be aware, malicious code was identified in the xz upstream tarballs starting from version 5.6.0. The development snapshots of OpenWrt were utilizing this compromised library version. Fortunately, the snapshots builds...

forum.openwrt.org

 

[Justinh]

What I haven't been able to figure out is if there is a patch available. Since the project was disabled (in GitHub), how can a patch be rolled out?

 

[L&LD]

Isn't that all you need to know?

Seems like it's answered to me.

 

[sfx2000]

What I haven't been able to figure out is if there is a patch available. Since the project was disabled (in GitHub), how can a patch be rolled out?

It's a roll-back to the last known good release.

 

[PR3MIUM]

Microsoft FAQ and guidance for XZ Utils backdoor

Latest information about XZ Utils vulnerability and guidance on how to assess your potential exposure.

techcommunity.microsoft.com

GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot

github.com

[Arch Linux, Debian, Kali Linux, Opensuse, Fedora]

Script for Testing:

scripts/xz_cve-2024-3094-detect.sh at main · cyclone-github/scripts

Scripts by cyclone to automate tasks. Contribute to cyclone-github/scripts development by creating an account on GitHub.

github.com

 

[sfx2000]

Canonical has pushed the most beta release for 24.04 out a week to basically rebuild the entire release...

24.04 is an LTS release, and it's still scheduled for production release on April 25, 2024 - but if we have to go thru another beta run this late into the release cycle, it could push things out.

Ubuntu is also upstream for a lot of other releases as well...

Something like this is a release manager's nightmare and can be a headache for folks that do the CI/CD pipelines for things using Docker and VM's (since ubuntu server images need QA time before release into production)

 

[jerry6]

Canonical has pushed the most beta release for 24.04 out a week to basically rebuild the entire release...

24.04 is an LTS release, and it's still scheduled for production release on April 25, 2024 - but if we have to go thru another beta run this late into the release cycle, it could push things out.

Ubuntu is also upstream for a lot of other releases as well...

Something like this is a release manager's nightmare and can be a headache for folks that do the CI/CD pipelines for things using Docker and VM's (since ubuntu server images need QA time before release into production)

THANKS FOR THE DAILY DOSE OF GOOD NEWS

 

[sfx2000]

THANKS FOR THE DAILY DOSE OF GOOD NEWS

Wish I had better news...

As this whole thing unravels, there's a lot of packages that static link over to the xz-utils package across many distributions...

Good news - not everyone linked to the impacted versions, and what I'm seeing now in embedded land, is a migration away from xz-utils in general for alternatives...

 

[sfx2000]

Interesting followup...

Challenge for the maintainers is to regain trust...

The Tukaani Project

tukaani.org

 

[sfx2000]

As folks roll into this - this style of supply chain attacks is going to be a problem moving forward...

xz-style Attacks Continue to Target Open-Source Maintainers | LinuxSecurity.com

What Targeted Threats Have Been Identified Targeting Open-Source Maintainers? The emails were sent f

linuxsecurity.com

One of the issues with xz-utils is that the backdoor wasn't in the repo itself - it was in the tarball download, so if one unpacked the tarball, you could be backdoored - it was very clever how that was done.

Supply chain has always been a concern - whether it's Python PIP, PHP-Pear, Perl, etc - and then the binary things like entware where it's precompiled - much less APT/YUM etc...

I'm sure that there is a lot of navelgazing going on right now - source code is one thing - the "thousand eyes" approach I presume....

But in the words of Saul Goodman (better call saul - great series) - someone having bad intent - they don't need to get everyone to agree on a commit, just one...

and that is the problem... once the code is there, everyone assumes it's good to go...

Dropbear, Busybox, and dnsmasq - those are the golden keys... let's hope that the maintainers do the right thing.

 

[coxhaus]

I am counting on Pfsense to keep me safe. They have a lot of resources right now. Hopefully their testing will find issues if they exist. It has a large user base. If there is a problem in the code testing will present the issues.

 

[sfx2000]

I am counting on Pfsense to keep me safe. They have a lot of resources right now. Hopefully their testing will find issues if they exist. It has a large user base. If there is a problem in the code testing will present the issues.

Hopefully they've sorted the CE vs PfSense Plus BS...

 

[coxhaus]

Yes, there is not a perfect solution out there. But overall, it is the best bet right now. It may change in the future.