Severity | CVE Code | Affected Component | Sources |
---|---|---|---|
High | CVE-2024-3094 | xz version 5.6.0-1 and 5.6.1 all linux distributions that patched openssh to support systemd notification: This include debian/ubuntu etc | Archwiki news, CISA, Red Hat |
In Short
This backdoor, discovered in versions 5.6.0
and 5.6.1
of XZ Utils
,
allowed malicious code to be executed with root privileges when performing
operations involving SSH
, granting unauthorized access to the system. The
attack was orchestrated over years, involving a threat actor named Jia Tan who
gained credibility within the XZ project, eventually introducing the backdoor.
Understand the genius behind the backdoor
For those who are in the tank - in the liblzma library
, for the xz package,
which allows you to compress files into something with the .xz extension, a
backdoor was discovered that allows you to easily connect to your SSH server.
Moreover, the backdoor is only in the .tar archives attached to releases 5.6.0-1, and the backdoor itself was found not by a security researcher, but by an ordinary programmer, when he became interested in “why CPU consumption increases x10 when connecting via SSH”
Now to the analysis of the supply chain in server compromise
in the configuration file the
build-to-host.m4
script is executed, modifying Makefile for the build if sshd process is running on the host in /usr/binhe does this through “testing” with the archives
bad-3-corrupt_lzma2.xz
andgood-large-compressed.lzma
(not used for tests anywhere else)tests lead to the execution of code compressed into
bad-3-corrupt_lzma2.xz
, which unpacks thegood-large-compressed.lzma
archivethe code inside
good-large-compressed.lzma
is executed, causingliblzma_la-crc64-fast.o
(the backdoor itself) to be injected intoMakefile
forliblzma
after the build and successful installation, the backdoor intercepts execution by substituting
ifunc resolvers
forcrc32_resolve()
andcrc64_resolve()
, changing the code to call_get_cpuid()
ifunc is a glibc mechanism that allows you to implement a function in different ways, and choose between implementations while the program is running
- Afterwards, the backdoor monitors the dynamic connection of libraries to the process through an immediately installed audit hook , waiting for the connection of
RSA_public_decrypt@got.plt
library - Having seen
RSA_public_decrypt@got.plt
connection, the backdoor replaces the library address with the address of the controlled code Ready! Now, when connecting via SSH, in the context before key authentication, the process will execute code controlled by the attacker.