CVE-2024-3094: A Deep Dive into the XZ Utils Backdoor Vulnerability
Executive Summary
CVE-2024-3094 is a critical supply chain vulnerability discovered in the XZ Utils compression library, specifically affecting versions 5.6.0 and 5.6.1. This vulnerability involves a malicious backdoor embedded in the upstream tarballs of the xz package. The backdoor was obfuscated within the build process of liblzma, a core component of XZ Utils, and could be triggered during the creation of RPM or DEB packages for x86-64 architectures. Once activated, the backdoor allows attackers to intercept and modify data processed by the library, potentially compromising the confidentiality, integrity, and availability of systems relying on XZ Utils.
The vulnerability has been assigned a CVSS v3.1 score of 10.0 (Critical) due to its ease of exploitation, lack of required privileges, and severe impact on system security. Immediate action is required to mitigate the risks posed by this vulnerability.
Technical Details
Affected Systems and Components
The vulnerability specifically affects the following versions of XZ Utils:
- XZ Utils 5.6.0
- XZ Utils 5.6.1
The malicious code was embedded in the upstream tarballs of these versions. The backdoor impacts the liblzma library, which is widely used for data compression and decompression in Linux distributions. The issue arises during the build process when creating RPM or DEB packages for the x86-64 architecture using GCC and the GNU linker.
Vulnerable Configurations
The backdoor is activated under the following conditions:
- The build system is instructed to create an RPM or DEB package.
- The target architecture is x86-64.
- The build process uses GCC and the GNU linker.
Key Characteristics of the Backdoor
- Obfuscation: The malicious code was hidden within disguised test files in the source tarball. These files contained prebuilt object files that were extracted and linked into the
liblzmalibrary during the build process. - Impact: The backdoor intercepts and modifies data interactions with
liblzma, potentially allowing attackers to:- Break SSH authentication.
- Gain unauthorized remote access to systems.
- Manipulate or exfiltrate sensitive data.
Root Cause Analysis
The root cause of CVE-2024-3094 lies in the insertion of malicious code into the upstream tarballs of XZ Utils. The backdoor was introduced through a series of obfuscation techniques, making it difficult to detect during standard code reviews.
Code Analysis
The malicious code was embedded in test files within the source tarball. These files contained binary blobs that were extracted and linked into the liblzma library during the build process. Below is an example of how the backdoor was implemented:
Example of Malicious Code in Test Files
// Extracted binary blob disguised as a test file
unsigned char malicious_payload[] = {
0xDE, 0xAD, 0xBE, 0xEF, // Example payload
// Additional obfuscated code omitted for brevity
};
// Function to inject the payload into liblzma
void inject_payload() {
// Code to modify liblzma functions
modify_function_pointers(malicious_payload);
}
The build process included a script that extracted this payload and linked it into the library. This script was triggered only under specific conditions, such as when building RPM or DEB packages for x86-64 architectures.
Patch Analysis
The patch to address CVE-2024-3094 removes the malicious code and associated test files from the source tarball. Below is a line-by-line analysis of the patch:
File: src/liblzma/check/crc32_fast.c
- lzma_resolver_attributes
+ #ifdef CRC_USE_IFUNC
+ __attribute__((__no_profile_instrument_function__))
+ #endif
- Removed: The
lzma_resolver_attributesmacro, which was used to obfuscate the backdoor. - Added: Conditional compilation to ensure safe usage of the
__no_profile_instrument_function__attribute.
File: src/liblzma/check/crc64_fast.c
- lzma_resolver_attributes
+ #ifdef CRC_USE_IFUNC
+ __attribute__((__no_profile_instrument_function__))
+ #endif
- Similar changes were made to the CRC64 resolver to remove obfuscated attributes.
File: tests/files/README
- bad-3-corrupt_lzma2.xz has three Streams in it. The first and third
- streams are valid xz Streams. The middle Stream has a correct Stream
- Header, Block Header, Index and Stream Footer. Only the LZMA2 data
- is corrupt. This file should decompress if --single-stream is used.
- Removed: References to test files containing malicious payloads.
Exploitation Techniques
Proof of Concept (PoC)
The backdoor can be exploited by triggering the malicious code embedded in the liblzma library. Below is a theoretical PoC demonstrating how an attacker could exploit the vulnerability:
Step 1: Trigger the Backdoor
An attacker crafts a specially designed input file that interacts with the backdoor in liblzma.
Step 2: Exploit the Backdoor
The backdoor modifies function pointers within the library to execute arbitrary code.
Example Exploit Code
#include <stdio.h>
#include <liblzma.h>
int main() {
// Malicious input file
FILE *input = fopen("malicious_input.xz", "rb");
if (!input) {
perror("Failed to open file");
return 1;
}
// Trigger the backdoor
lzma_stream strm = LZMA_STREAM_INIT;
lzma_code(&strm, LZMA_RUN);
printf("Backdoor triggered!\n");
return 0;
}
Mitigation Strategies
To mitigate the risks associated with CVE-2024-3094, the following steps are recommended:
-
Upgrade to a Secure Version:
- Downgrade to XZ Utils 5.4.x or upgrade to a patched version once available.
-
Verify Source Integrity:
- Use cryptographic signatures to verify the authenticity of source tarballs.
-
Audit Build Processes:
- Review build scripts and processes to detect and remove malicious code.
-
Apply Security Best Practices:
- Use sandboxing and privilege separation to limit the impact of compromised libraries.
-
Monitor for Indicators of Compromise (IoC):
- Look for unusual system behavior, such as increased CPU usage or failed SSH authentication attempts.
Timeline of Discovery and Disclosure
| Date | Event |
|---|---|
| 2024-03-29 | Vulnerability publicly disclosed on oss-security. |
| 2024-03-30 | Patch released by the XZ Utils maintainers. |
| 2024-04-01 | Advisory published by Red Hat and other vendors. |
References
By understanding the technical intricacies of CVE-2024-3094, organizations can take proactive steps to secure their systems and prevent similar supply chain attacks in the future.