{"id":22549,"date":"2024-03-31T15:40:31","date_gmt":"2024-03-31T19:40:31","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/cve-2024-3094-vulnerability-backdoor\/22549\/"},"modified":"2024-04-02T17:43:40","modified_gmt":"2024-04-02T13:43:40","slug":"cve-2024-3094-vulnerability-backdoor","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/cve-2024-3094-vulnerability-backdoor\/22549\/","title":{"rendered":"Malicious code discovered in Linux distributions"},"content":{"rendered":"<p>Unknown actors have implanted malicious code into versions 5.6.0 and 5.6.1 of the open source compression tools set XZ Utils. To make matters worse, trojanized utilities have managed to find their way into several popular builds of Linux released this March, so this incident could be regarded as a supply-chain attack. This vulnerability has been assigned <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-3094\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2024-3094<\/a>.<\/p>\n<h2>What makes this malicious implant so dangerous?<\/h2>\n<p>Initially, various researchers claimed that this backdoor allowed attackers to bypass <a href=\"https:\/\/www.ssh.com\/academy\/ssh\/sshd\" target=\"_blank\" rel=\"nofollow noopener\">sshd<\/a> (the OpenSSH server process) authentication, and remotely gain unauthorized access to the operating system. However, judging by the <a href=\"https:\/\/bsky.app\/profile\/filippo.abyssdomain.expert\/post\/3kowjkx2njy2b\" target=\"_blank\" rel=\"nofollow noopener\">latest information<\/a>, this vulnerability shouldn\u2019t be classified as an \u201cauthentication bypass\u201d, but as \u201cremote code execution\u201d (<a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/remote-code-execution-rce\/\" target=\"_blank\" rel=\"noopener\">RCE<\/a>). The backdoor intercepts the <a href=\"https:\/\/www.openssl.org\/docs\/manmaster\/man3\/RSA_public_decrypt.html\" target=\"_blank\" rel=\"nofollow noopener\">RSA_public_decrypt<\/a> function, verifies the host\u2019s signature using the fixed key Ed448 and, if verified successfully, executes malicious code passed by the host via the <em>system()<\/em> function, leaving no traces in the sshd logs.<\/p>\n<h2>Which Linux distributions contain malicious utilities, and which are safe?<\/h2>\n<p>It\u2019s known that XZ Utils versions 5.6.0 and 5.6.1 were included in the March builds of the following Linux distributions:<\/p>\n<ul>\n<li>Kali Linux, but, according to <a href=\"https:\/\/www.kali.org\/blog\/about-the-xz-backdoor\/\" target=\"_blank\" rel=\"nofollow noopener\">the official blog<\/a>, only those that were available between March 26 and March 29 (the blog also contains instructions for checking for vulnerable versions of utilities);<\/li>\n<li>openSUSE Tumbleweed and openSUSE MicroOS, <a href=\"https:\/\/news.opensuse.org\/2024\/03\/29\/xz-backdoor\/\" target=\"_blank\" rel=\"nofollow noopener\">available from March 7 to March 28<\/a>;<\/li>\n<li>Fedora 41, Fedora Rawhide, and Fedora Linux 40 beta;<\/li>\n<li>Debian (<a href=\"https:\/\/lists.debian.org\/debian-security-announce\/2024\/msg00057.html\" target=\"_blank\" rel=\"nofollow noopener\">testing, unstable and experimental distributions<\/a> only);<\/li>\n<li>Arch Linux \u2013 container images available from February 29 to March 29. However, the website <a href=\"https:\/\/archlinux.org\/news\/the-xz-package-has-been-backdoored\/\" target=\"_blank\" rel=\"nofollow noopener\">archlinux.org<\/a> states that, due to its implementation peculiarities, this attack vector won\u2019t work in Arch Linux, but they still strongly recommend updating the system.<\/li>\n<\/ul>\n<p>According to official information, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise, openSUSE Leap, and Debian Stable are not vulnerable. As for other distributions, it\u2019s advised to check them for the presence of Trojanized versions of XZ Utils manually.<\/p>\n<h2>How did the malicious code get to be implanted into the XZ Utils?<\/h2>\n<p>Apparently, it was a <a href=\"https:\/\/orca.security\/resources\/blog\/critical-xz-utils-supply-chain-compromise-affects-multiple-linux-distributions-cve-2024-3094\/\" target=\"_blank\" rel=\"nofollow noopener\">typical case<\/a> of control transfer. The person who initially maintained the XZ Libs project on GitHub passed control of the repository to an account that\u2019s been contributing to a number of repositories related to data compression for several years. And at some point, someone behind that other account implanted a backdoor in the project code.<\/p>\n<h2>The near-miss epidemic that never happened<\/h2>\n<p>According to Igor Kuznetsov, head of our Global Research and Analysis Team (GReAT), exploitation of CVE-2024-3094 could potentially have become the largest scale attack on the Linux ecosystem in its entire history. This is because it was primarily aimed at SSH servers \u2013 the main remote-management tool of all Linux servers on the internet. If it had ended up in stable distributions, we\u2019d probably have seen vast numbers of server hacks. However, fortunately, CVE-2024-3094 was noticed in the test and rolling distributions \u2013 where the latest software packages are used. That is, most Linux users remained safe. So far we\u2019ve not detected any cases of CVE-2024-3094 actually being exploited.<\/p>\n<h2>How to stay safe?<\/h2>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2024\/03\/29\/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094\" target=\"_blank\" rel=\"nofollow noopener\">recommends<\/a> anyone who installed or updated affected operating systems in March to downgrade XZ Utils to an earlier version (for example, version 5.4.6) immediately. And also to start searching for malicious activity.<\/p>\n<p>If you\u2019ve installed a distribution with a vulnerable version of XZ Utils, it also makes sense to change all credentials that could potentially be stolen from the system by the threat actors.<\/p>\n<p>You can detect the presence of a vulnerability using the <a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/bkdr_xz_util_cve_2024_3094.yar\" target=\"_blank\" rel=\"nofollow noopener\">Yara rule for CVE-2024-3094<\/a>.<\/p>\n<p>If you suspect that a threat actor may have gained access to your company\u2019s infrastructure, we recommend using the <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/compromise-assessment?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Compromise Assessment<\/a> service to uncover any past or ongoing attacks.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"22565\">\n","protected":false},"excerpt":{"rendered":"<p>A backdoor implanted into XZ Utils has found its way into popular Linux distributions.<\/p>\n","protected":false},"author":2698,"featured_media":22550,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[1520,533,1723,268],"class_list":{"0":"post-22549","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-backdoors","11":"tag-linux","12":"tag-supply-chain-attack","13":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/cve-2024-3094-vulnerability-backdoor\/22549\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/cve-2024-3094-vulnerability-backdoor\/27244\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/cve-2024-3094-vulnerability-backdoor\/29918\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cve-2024-3094-vulnerability-backdoor\/27416\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/cve-2024-3094-vulnerability-backdoor\/27136\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/cve-2024-3094-vulnerability-backdoor\/29815\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/cve-2024-3094-vulnerability-backdoor\/28632\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cve-2024-3094-vulnerability-backdoor\/37222\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cve-2024-3094-vulnerability-backdoor\/50873\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/cve-2024-3094-vulnerability-backdoor\/21666\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/cve-2024-3094-vulnerability-backdoor\/22371\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/cve-2024-3094-vulnerability-backdoor\/31049\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/cve-2024-3094-vulnerability-backdoor\/27597\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cve-2024-3094-vulnerability-backdoor\/33423\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cve-2024-3094-vulnerability-backdoor\/33050\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/linux\/","name":"Linux"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22549","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2698"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=22549"}],"version-history":[{"count":3,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22549\/revisions"}],"predecessor-version":[{"id":22566,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22549\/revisions\/22566"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/22550"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=22549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=22549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=22549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}