Critical Linux XZ Utils Vulnerability
Date of Notice: 04/2/2024
Action Level - Critical
Description
The mentioned vulnerability is a result of a supply-chain attack done to the XZ utils repository. The malicious code was committed to the project by one its maintainers, the code allows specific remote attackers to send arbitrary payloads through an SSH certificate which will be executed in a manner that circumvents authentication protocols, effectively seizing control over the victim machine.
Fixed Versions
XZ Utils users should downgrade to an older version of the utility immediately (i.e., any version before 5.6.0) and update their installations and packages according to distribution maintainer directions.
Attack Vector
Authentication bypass and RCE, caused by malicious code placed into the XZ utils source code. The malicious code hijacks the SSH daemon and starts making several outbound connections to C2 servers.
Attack Feasibility
If running a malicious version of XZ utils, then your machine is already compromised. See the below sources to get a better understanding of how the backdoor functions.
Mitigation/Remediation
Immediately downgrade XZ utils to a non-impacted version (any version before 5.6.0).
Resources
https://www.rapid7.com/blog/post/2024/04/01/etr-backdoored-xz-utils-cve-2024-3094/
https://thehackernews.com/2024/04/malicious-code-in-xz-utils-for-linux.html