Site icon

CVE-2024-3094 Utils and Vulnerabilities in Federal Linux Systems

Over the past week, a new vulnerability in the Linux operating system and the XZ compression utility has led to a new security alert and an immediate call to roll back some new updates. While this threat is a massive problem for federal IT systems relying on specific Linux distributions, it also highlights how poorly managed open-source projects can fundamentally undermine federal security. It also demonstrates how state-sponsored actors can use these projects as a staging ground for more extensive Advanced Persistent Threats. 

 

XZ Utils and CVE-2024-3094

The latest vulnerability in XZ Utils, identified as CVE-2024-3094, is a critical security issue involving a backdoor in the widely used XZ compression library, which is found in multiple Linux distributions. This vulnerability explicitly affects versions 5.6.0 and 5.6.1 of XZ Utils. 

The malicious code modifies functions within the liblzma code, which could allow a malicious actor to intercept and modify data used with the library. This could potentially break SSH authentication to gain unauthorized system access. Notably, the backdoor seems tailored for DEB or RPM packages for the x86-64 architecture built with GCC and the GNU linker, indicating a sophisticated level of targeting and, potentially, the work of an Advanced Persistent Threat (APT).

The Cybersecurity and Infrastructure Security Agency has issued advisories urging users to downgrade to an uncompromised version of XZ Utils (such as XZ Utils 5.4.6) and check for suspicious activity on systems with affected versions installed?.

Affected Linux distributions include 

However, some distributions, such as Amazon Linux, Alpine Linux (except specific versions), Red Hat Enterprise Linux, and others, have stated they are not affected by this vulnerability. 

 

How Was XZ Utils Compromised?

CVE-2024-3094 infiltrated the code through sophisticated means that leveraged weaknesses in the project’s code review and branch protection mechanisms. A detailed analysis revealed that malicious code was embedded in the upstream packages of XZ, starting with version 5.6.0. 

The code was concealed within extra .m4 files that contained build instructions using automake, which did not exist in the repository’s main branch. This was then used to modify certain functions within the liblzma package during compilation. Consequently, the liblzma library, upon being utilized by other software such as sshd, executed the altered functions, potentially leading to unauthorized system access?

The vulnerability’s introduction into the code underscores critical security oversights in the project’s governance. Specifically, no branch protections were in place, allowing developers to push changes to default branches without mandatory code reviews. 

This lack of oversight allowed unreviewed modifications, including malicious ones, to be pushed into production libraries and Linux distributions. This highlights the dangers of using code in production environments regularly updated from open-source projects that don’t correctly maintain security and maintenance standards and how these projects can be a soft target for APTs. 

 

Addressing and Mitigating CVEs

When a company encounters a CVE notice like CVE-2024-3094, it should take several fundamental steps to respond and mitigate the potential impact effectively. Here’s a structured approach to dealing with such vulnerabilities:

 

What Is XZ Utils?

XZ Utils is a collection of tools for the XZ compression format, providing high compression ratios and fast decompression with a relatively low memory footprint. It’s a free software command-line toolset on Linux and other operating systems. The main components of XZ Utils include:

XZ Utils is widely used to distribute software packages in many Linux distributions, but it is often unknown or untracked by system administrators. 

 

Stay Ahead of the Latest CVEs and Updates with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve, including keeping track of the latest threats and their impact on compliance. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version