XZ - Embedded Malicious Code

ID: CVE-2024-3094

Severity: critical

Author: pdteam

Tags: cve,cve2024,local,code,xz,backdoor,tukaani

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

YAML Source

id: CVE-2024-3094

info:
  name: XZ - Embedded Malicious Code
  author: pdteam
  severity: critical
  description: |
    Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
  reference:
    - https://www.openwall.com/lists/oss-security/2024/03/29/4
    - https://access.redhat.com/security/cve/CVE-2024-3094
    - https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
    - https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
    - https://bugzilla.redhat.com/show_bug.cgi?id=2272210
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-3094
    cwe-id: CWE-506
    epss-score: 0.00079
    epss-percentile: 0.32887
    cpe: cpe:2.3:a:tukaani:xz:5.6.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: tukaani
    product: xz
  tags: cve,cve2024,local,code,xz,backdoor,tukaani

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      # find path to liblzma used by sshd
      path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"

      # does it even exist?
      if [ "$path" == "" ]
      then
        echo probably not vulnerable
        exit
      fi

      # check for function signature
      if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410
      then
        echo probably vulnerable
      else
        echo probably not vulnerable
      fi

    matchers:
      - type: word
        words:
          - "probably vulnerable"

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a004730450221009abe47857ffdb332e0e64304eac070593121f5ed53dddca447b831feceb14de10220054bdf467470183f86c9da127ed80e2e19154c35e6fd7f0e9da3cbb4d5e4b866:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "code/cves/2024/CVE-2024-3094.yaml"

View on Github