![](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/03\/31152754\/CVE-2024-3094-vulnerability-backdoor-featured.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Editorial Team| Date: Sun, 31 Mar 2024 19:40:31 +0000<\/strong><\/p>\n Unknown actors have implanted malicious code into versions 5.6.0 and 5.6.1 of the open source compression tools set XZ Utils. To make matters worse, trojanized utilities have managed to find their way into several popular builds of Linux released this March, so this incident could be regarded as a supply-chain attack. This vulnerability has been assigned CVE-2024-3094<\/a>.<\/p>\n Initially, various researchers claimed that this backdoor allowed attackers to bypass sshd<\/a> (the OpenSSH server process) authentication, and remotely gain unauthorized access to the operating system. However, judging by the latest information<\/a>, this vulnerability shouldn’t be classified as an “authentication bypass”, but as “remote code execution” (RCE<\/a>). The backdoor intercepts the RSA_public_decrypt<\/a> function, verifies the host’s signature using the fixed key Ed448 and, if verified successfully, executes malicious code passed by the host via the system()<\/em> function, leaving no traces in the sshd logs.<\/p>\n It’s known that XZ Utils versions 5.6.0 and 5.6.1 were included in the March builds of the following Linux distributions:<\/p>\n According to official information, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise, openSUSE Leap, and Debian Stable are not vulnerable. As for other distributions, it’s advised to check them for the presence of Trojanized versions of XZ Utils manually.<\/p>\n Apparently, it was a typical case<\/a> of control transfer. The person who initially maintained the XZ Libs project on GitHub passed control of the repository to an account that’s been contributing to a number of repositories related to data compression for several years. And at some point, someone behind that other account implanted a backdoor in the project code.<\/p>\n According to Igor Kuznetsov, head of our Global Research and Analysis Team (GReAT), exploitation of CVE-2024-3094 could potentially have become the largest scale attack on the Linux ecosystem in its entire history. This is because it was primarily aimed at SSH servers \u2013 the main remote-management tool of all Linux servers on the internet. If it had ended up in stable distributions, we’d probably have seen vast numbers of server hacks. However, fortunately, CVE-2024-3094 was noticed in the test and rolling distributions \u2013 where the latest software packages are used. That is, most Linux users remained safe. So far we’ve not detected any cases of CVE-2024-3094 actually being exploited.<\/p>\n The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends<\/a> anyone who installed or updated affected operating systems in March to downgrade XZ Utils to an earlier version (for example, version 5.4.6) immediately. And also to start searching for malicious activity.<\/p>\n If you’ve installed a distribution with a vulnerable version of XZ Utils, it also makes sense to change all credentials that could potentially be stolen from the system by the threat actors.<\/p>\n You can detect the presence of a vulnerability using the Yara rule for CVE-2024-3094<\/a>.<\/p>\n If you suspect that a threat actor may have gained access to your company’s infrastructure, we recommend using the Kaspersky Compromise Assessment<\/a> service to uncover any past or ongoing attacks.<\/p>\nWhat makes this malicious implant so dangerous?<\/h2>\n
Which Linux distributions contain malicious utilities, and which are safe?<\/h2>\n
\n
How did the malicious code get to be implanted into the XZ Utils?<\/h2>\n
The near-miss epidemic that never happened<\/h2>\n
How to stay safe?<\/h2>\n