What's new

CVE-2024-3094 - XZ Utils Backdoor - addtional info

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sfx2000

Part of the Furniture
This had some traction over in AsusWRT-Addon's thread... I would post there, but the thread was closed.


A couple of good write ups and analysis for this CVE are below


and..


The boehs.org post has a lot of good back story, esp on how someone was able to gain trust thru a number of means, well before inserting the backdoor.

The second post is far more technical, but also shows the dependencies - e.g. has to be a systemd enabled build, with glibc, and x86-64, along with OpenSSH (sshd)

Where my interest was - OpenWRT, looks like formal releases were not impacted, but SNAPSHOT buillds off MASTER did include the impacted version of xz-utils, this was rolled back on Friday for MASTER...

Code:
commit d4b6b76443207103d3a7c0eae5c0085317fb584f
Author: Petr Štetiar <ynezz@true.cz>
Date:   Fri Mar 29 16:59:01 2024 +0000

    Revert "tools/xz: update to 5.6.1" (CVE-2024-3094)

    This reverts commit 714c91d1a63f29650abaa9cf69ffa47cf2c70297 as probably
    the upstream xz repository and the xz tarballs have been backdoored.

    References: https://www.openwall.com/lists/oss-security/2024/03/29/4.
    Signed-off-by: Petr Štetiar <ynezz@true.cz>

AsusWRT isn't impacted, and I believe that Entware is safe as well - here's OpenWRT's official response to the CVE

 
Last edited:
What I haven't been able to figure out is if there is a patch available. Since the project was disabled (in GitHub), how can a patch be rolled out?
 
Isn't that all you need to know?

Seems like it's answered to me.
 
What I haven't been able to figure out is if there is a patch available. Since the project was disabled (in GitHub), how can a patch be rolled out?

It's a roll-back to the last known good release.
 

[Arch Linux, Debian, Kali Linux, Opensuse, Fedora]

Script for Testing:
 
Canonical has pushed the most beta release for 24.04 out a week to basically rebuild the entire release...

24.04 is an LTS release, and it's still scheduled for production release on April 25, 2024 - but if we have to go thru another beta run this late into the release cycle, it could push things out.

Ubuntu is also upstream for a lot of other releases as well...

Something like this is a release manager's nightmare and can be a headache for folks that do the CI/CD pipelines for things using Docker and VM's (since ubuntu server images need QA time before release into production)
 
Canonical has pushed the most beta release for 24.04 out a week to basically rebuild the entire release...

24.04 is an LTS release, and it's still scheduled for production release on April 25, 2024 - but if we have to go thru another beta run this late into the release cycle, it could push things out.

Ubuntu is also upstream for a lot of other releases as well...

Something like this is a release manager's nightmare and can be a headache for folks that do the CI/CD pipelines for things using Docker and VM's (since ubuntu server images need QA time before release into production)
THANKS FOR THE DAILY DOSE OF GOOD NEWS
 
THANKS FOR THE DAILY DOSE OF GOOD NEWS

Wish I had better news...

As this whole thing unravels, there's a lot of packages that static link over to the xz-utils package across many distributions...

Good news - not everyone linked to the impacted versions, and what I'm seeing now in embedded land, is a migration away from xz-utils in general for alternatives...
 
As folks roll into this - this style of supply chain attacks is going to be a problem moving forward...


One of the issues with xz-utils is that the backdoor wasn't in the repo itself - it was in the tarball download, so if one unpacked the tarball, you could be backdoored - it was very clever how that was done.

Supply chain has always been a concern - whether it's Python PIP, PHP-Pear, Perl, etc - and then the binary things like entware where it's precompiled - much less APT/YUM etc...

I'm sure that there is a lot of navelgazing going on right now - source code is one thing - the "thousand eyes" approach I presume....

But in the words of Saul Goodman (better call saul - great series) - someone having bad intent - they don't need to get everyone to agree on a commit, just one...

and that is the problem... once the code is there, everyone assumes it's good to go...

Dropbear, Busybox, and dnsmasq - those are the golden keys... let's hope that the maintainers do the right thing.
 
I am counting on Pfsense to keep me safe. They have a lot of resources right now. Hopefully their testing will find issues if they exist. It has a large user base. If there is a problem in the code testing will present the issues.
 
I am counting on Pfsense to keep me safe. They have a lot of resources right now. Hopefully their testing will find issues if they exist. It has a large user base. If there is a problem in the code testing will present the issues.

Hopefully they've sorted the CE vs PfSense Plus BS...
 
Yes, there is not a perfect solution out there. But overall, it is the best bet right now. It may change in the future.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top