SeverityCVE CodeAffected ComponentSources
HighCVE-2024-3094xz version 5.6.0-1 and 5.6.1 all linux distributions that patched openssh to support systemd notification: This include debian/ubuntu etcArchwiki news, CISA, Red Hat

In Short

This backdoor, discovered in versions 5.6.0 and 5.6.1 of XZ Utils, allowed malicious code to be executed with root privileges when performing operations involving SSH, granting unauthorized access to the system. The attack was orchestrated over years, involving a threat actor named Jia Tan who gained credibility within the XZ project, eventually introducing the backdoor.

Understand the genius behind the backdoor

For those who are in the tank - in the liblzma library, for the xz package, which allows you to compress files into something with the .xz extension, a backdoor was discovered that allows you to easily connect to your SSH server.

Moreover, the backdoor is only in the .tar archives attached to releases 5.6.0-1, and the backdoor itself was found not by a security researcher, but by an ordinary programmer, when he became interested in “why CPU consumption increases x10 when connecting via SSH”

Now to the analysis of the supply chain in server compromise

  1. in the configuration file the build-to-host.m4 script is executed, modifying Makefile for the build if sshd process is running on the host in /usr/bin

  2. he does this through “testing” with the archives bad-3-corrupt_lzma2.xz and good-large-compressed.lzma (not used for tests anywhere else)

  3. tests lead to the execution of code compressed into bad-3-corrupt_lzma2.xz , which unpacks the good-large-compressed.lzma archive

  4. the code inside good-large-compressed.lzma is executed, causing liblzma_la-crc64-fast.o (the backdoor itself) to be injected into Makefile for liblzma

  5. after the build and successful installation, the backdoor intercepts execution by substituting ifunc resolvers for crc32_resolve() and crc64_resolve() , changing the code to call _get_cpuid()

ifunc is a glibc mechanism that allows you to implement a function in different ways, and choose between implementations while the program is running

  1. Afterwards, the backdoor monitors the dynamic connection of libraries to the process through an immediately installed audit hook , waiting for the connection of RSA_public_decrypt@got.plt library
  2. Having seen RSA_public_decrypt@got.plt connection, the backdoor replaces the library address with the address of the controlled code Ready! Now, when connecting via SSH, in the context before key authentication, the process will execute code controlled by the attacker.