Threat Research

CVE-2024-3094 and XZ Upstream Supply Chain Attack | CrowdStrike

Securonix

Red Hat disclosed CVE-2024-3094 in XZ Utils, a supply chain compromise that injects a backdoor into the liblzma build process, selectively affecting x64 builds in bleeding-edge Linux distributions. CrowdStrike explains how it detects and mitigates this threat using IOAs and Falcon tools and provides guidance for defenders to discover and respond to the issue. #CVE-2024-3094 #XZUtils

Keypoints

  • Red Hat announced CVE-2024-3094, a high-severity supply chain vulnerability in XZ Utils (affecting versions 5.6.0 and 5.6.1) where malicious code was introduced by a trusted developer to weaken SSH authentication.
  • The attack uses obfuscation during the liblzma build process to extract a prebuilt object file from a disguised test file, then injects it to modify liblzma behavior and intercept data interactions.
  • The backdoor is selectively woven into target builds on x64 architectures and is part of a sophisticated supply chain attack.
  • Affected distributions include Debian (unstable/sid), Kali, OpenSUSE rolling releases, Arch Linux, and Fedora Rawhide/Beta; compromised XZ binaries have appeared in OS packages.

MITRE Techniques

  • [T1195] Supply Chain Compromise – Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.”
  • [T1027] Obfuscated/Compressed Files and Information – β€œThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code.”
  • [T1059] Command and Scripting Interpreter – β€œDuring the build process, the bad-3-corrupt_lzma2.xz test file was read and de-obfuscated using β€œtr,” a tool meant to manipulate strings in standard input and standard output.”

Indicators of Compromise

  • [Hash] File Hash – 319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae, 605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4 and 4 more hashes
  • [File Name] – bad-3-corrupt_lzma2.xz, good-large_compressed.lzma
  • [Version] – 5.6.0, 5.6.1

Read more: https://www.crowdstrike.com/blog/cve-2024-3094-xz-upstream-supply-chain-attack/