CVE-2024-3094 Vulnerability Analysis
Vulnerability Description
xz is a compression repository used to compress and decompress files. Andres Freund, a Microsoft security researcher, discovered this vulnerability when investigating program performance deterioration. The xz vulnerability contains malicious backdoors in XZ Utils 5.6.0 and 5.6.1. Attackers may exploit this vulnerability to bypass SSH authentication on affected systems to obtain unauthorized access and execute any code.
Response by openEuler
- On March 28, 2024, openEuler preliminarily detected security risks in xz 5.6.0/5.6.1. Immediately initiated a full software version check on openEuler 2203-LTS and 2003-LTS release branches, and 2403-LTS in the test. Then, it was confirmed that the defective xz 5.6.0/5.6.1 version was not introduced to the openEuler repository.
- On March 29, 2024, openwall disclosed the attack code and means of xz CVE-2024-3094. The openEuler security team followed up in real time, organized related technical personnel to analyze whether the source code of openEuler xz contained malicious code, and confirmed that the CVE-2024-3094 vulnerability does not exist in openEuler xz.
Vulnerability Background
Jia Tan is the attacker of the xz backdoor vulnerability. To implement backdoor injection of the xz software, the xz code and social engineering design of Jia T75 is considered, which proves that there is an old saying: "Rather than being stolen, it's much more horrible that you are targeted by the thief." The key node information of the xz event in this document is quoted from https://research.swtch.com/xz-timeline.
Jia Tan Becomes Maintainer of the xz Community
On October 26, 2021, Jia Tan contributed his first code to the xz open source community. In 2021, Jia Tan submitted code for 546 times. Since then, he has been an active participant in the community, demonstrating unwavering dedication. From April to June 2022, Lasse Collin, the initial maintainer of xz, exited the network for a period due to long-term mental health problems and other reasons. From April to June 2022, Lasse Collin received pressure emails from Jigar Kumar, Dennis Ens, and other users, questioning whether Lasse Collin will not maintain xz anymore and why is the contributed code of Jia Tan not incorporated in time, and providing a psychological hint that Lasse Collin give Jia Tan maintainer submission permission. Part of the content is as follows:
Jugar Kumar: "With your current rate, I very doubt to see 5.4.0 release this year. The only progress since April has been small changes to test code. You ignore the many patches bit rotting away on this mailing list. Right now you choke your repo. Why wait until 5.4.0 to change maintainer? Why delay what your repo needs? "
Dennis Ens: "I am sorry about your mental health issues, but its important to be aware of your own limits. I get that this is a hobby project for all contributors, but the community desires more. Why not pass on maintainership for XZ for C so you can give XZ for Java more attention? Or pass on XZ for Java to someone else to focus on XZ for C? Trying to maintain both means that neither are maintained well."
On June 29, 2022, Lasse Collin replied, "As I have hinted in earlier emails, Jia Tan may have a bigger role in the project in the future. He has been helping a lot off-list and is practically a co-maintainer already. 😃 I know that not much has happened in the git repository yet but things happen in small steps. In any case some change in maintainership is already in progress at least for XZ Utils."
Based on the contribution of Jia Tan to the xz community, the email pressure of community users Jigar Kumar and Dennis Ens, and the health of Lasse Collin, finally, Lasse Collin granted Jia Tan maintainer access to the xz community. Afterwards, Evan Boehs observed that neither Jigar Kumar nor Dennis Ens had appeared elsewhere on the Internet. After Jia Tan became the community maintainer, Jigar Kumar and Dennis Ens have not used email to communicate any other issues in the xz community, and it seems likely that they are forged identities created to urge Lasse to give Jia Tan more control. This strategy works.
Jia Tan Starts Attack
2024-02-23: Jia Tan merged hidden backdoor binary code well hidden inside some binary test input files. The README already said (from long before Jia Tan showed up) "This directory contains a bunch of files to test handling of .xz, .lzma, and .lz files in decoder implementations. Many of the files have been created by hand with a hex editor, thus there is no better "source code" than the files themselves." It is very common for libraries of this compression software to have such compressed binary test files. Jia Tan took advantage of this to add some documents that would not be carefully reviewed. 2024-02-24: Jia Tan tagged and built v5.6.0, and released the xz-5.6.0.tar.gz distribution containing additional malicious build-to-host.m4. The m4 file added a backdoor when building a deb/rpm package. This m4 file does not exist in the source code repository, but many other legal files are added during packaging, so it itself does not cause suspicion. But the script has been modified from the usual copy to add the backdoor. 2024-03-09: Jia Tan tagged and built v5.6.1 and released the xz 5.6.1 distribution that contains a new backdoor. 2024-03-25: Many users have suggested in the Debian community that xz-utils be updated to 5.6.1. Just as in the email stress campaign before Jia Tan became the maintainer of the xz community in 2022, more email addresses that did not exist on the Internet appeared to advocate updating xz 5.6.1. 2024-03-28: Jia Tan filed a bug in Ubuntu, requiring xz-utils to be updated to 5.6.1 in Debian.
Attack Detected
2024-03-28: Andres Freund, a Microsoft security researcher, discovered the vulnerability when investigating program performance deterioration and privately notified Debian and distros@openwall. Red Hat then assigned CVE-2024-3094. 2024-03-29: CVE-2024-3094 is disclosed publicly. The CSSV score is 10, full-score. It is the first serious supply chain attack targeting widely used open source software. It marks a watershed moment for open source supply chain security. In the future, the identity authentication of open source community contributors and the review of binary test files may become stricter. Open source communities and operating system publishers will also be promoted by this incident to further improve the operation rules on software security.
Vulnerability Code Triggering Analysis
The xz source code tar package of version 5.6.0/5.6.1 released by the upstream communities contains the build-to-host.m4 malicious build file. The build file invokes the script to decompress the malicious test data tests/files/bad-3-corrupt_lzma2.xz and tests/files/good-large_compressed.lzma to modify the build process to build the dynamic library liblzma.so with a backdoor. The low level of SSH depends on the liblzma library. Attackers may exploit this vulnerability to bypass SSH authentication on affected systems to obtain unauthorized access and execute any code. For more technical details about the code, see The xz attack shell script.
Impact Analysis
If the xz software involving the CVE-2024-3094 defect is installed on the host, a remote attacker can inject any code through SSH to execute the code remotely and completely control the entire host.
Workarounds
None
Solution
Uninstall or discard the defective xz 5.6.0/5.6.1 version, and use the stable xz 5.2.5 version released by the openEuler community or other stable versions.
References
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://tukaani.org/xz-backdoor/