Cybereason reveals a sophisticated backdoor in XZ Utils versions 5.6.0 and 5.6.1 on Linux, tied to a supply chain attack that could allow pre-auth SSH remote code execution. The backdoor manipulates dynamic linking and the SSH authentication flow to execute commands as root, with remediation guidance and a large IOC list provided. #XZUtils #CVE-2024-3094 #sshd #liblzma #JiaT75 #AndresFreund #OSS-Fuzz
Keypoints
- The backdoor is in XZ Utils 5.6.0 and 5.6.1 for Linux, tracked as CVE-2024-3094 with a CVSS score of 10.
- It represents a supply chain attack that introduced a backdoor into the open source XZ Utils project over about two years, with a contributor named JiaT75 and disclosure by Andres Freund.
- The attack targets SSH/sshd by allowing pre-auth remote code execution through manipulation of cryptographic flows and library linking (liblzma).
- Attack techniques include modifying the Global Offset Table (GOT) and using GNU indirect functions (ifuncs) to hijack execution flow, enabling the attacker to substitute OpenSSL RSA_public_decrypt with a malicious version.
- The payload decrypts from a CA signing key value, then executes commands as root via system(), exploiting SSH certificate-based authentication when signed by the attacker.
- Mitigations include downgrading/downgrading XZ Utils to 5.4.6 and monitoring with EDR, plus using Cybereason’s IOC list and hunting queries for detection.
- Cybereason provides a long IOC hash list (over 60 SHA256 hashes), module names (liblzma.so.5.6.0/5.6.1), and example files like liblzma_la-crc64-fast.o and tests/files/bad-3-corrupt_lzma2.xz for detection and hunting.
MITRE Techniques
- [T1195] Supply Chain Compromise – This vulnerability was introduced by a sophisticated supply chain attack which occurred over the course of approximately two years. “This vulnerability was introduced by a sophisticated supply chain attack which occurred over the course of approximately two years.”
- [T1574] Hijack Execution Flow – The backdoor uses GNU indirect functions (ifuncs) like a switchboard operator for a program to choose between function implementations; it also modifies the Global Offset Table (GOT) via audit hooks and replaces OpenSSL’s RSA_public_decrypt with a backdoored version. “The payload uses the GNU indirect functions (ifuncs) like a switchboard operator for a program.” “An audit hook is a tool that can change a program’s map GOT… to memory addresses.” “that replaces RSA_public_decrypt with the backdoored version.”
- [T1059] Command and Scripting Interpreter – The decrypted payload’s command is passed to system() and executed as root. “The command from the payload is then passed to system() and is executed as root.”
Indicators of Compromise
- [Hash] – Over 60 SHA256 hash signatures associated with this vulnerability. Example hashes: 9857b950b51a990daa51115049de85bda38c4138a74437e25b25528a010037ad, 5c204962348dccd72ab597656284f0e4a9f30bad9b3382f08a90867b5a55e8ec, and 2 more hashes
- [File] – Affected XZ Utils components and test artifacts: liblzma_la-crc64-fast.o, tests/files/bad-3-corrupt_lzma2.xz
- [Module] – Victim modules/versions: liblzma.so.5.6.0, liblzma.so.5.6.1
Read more: https://www.cybereason.com/blog/threat-alert-the-xz-backdoor