Search
Search titles only
By:
Search titles only
By:
Log in
Register
Search
Search titles only
By:
Search titles only
By:
Menu
Install the app
Install
Forums
New posts
All threads
Latest threads
New posts
Trending threads
Trending
Search forums
What's new
New posts
New ads
New profile posts
Latest activity
Free Ads
Latest reviews
Search ads
Members
Current visitors
New profile posts
Search profile posts
Contact us
Latest ads
Colombo
Red Hat Certified System Administrator (RHCSA) - RHEL 10
Sanjeewani95
Updated:
Today at 7:43 PM
NURSING , CAREGIVER , HOTEL & BEAUTY COURSES
IVA Para Medical Campus
Updated:
Yesterday at 9:24 AM
Handmade Character Soft Toys Peppa Pig Family
anil1961
Updated:
Wednesday at 9:58 PM
Ad icon
Video Content Creator
pramukag
Updated:
Sunday at 6:10 AM
Ad icon
QA Engineer Intern
pramukag
Updated:
Sunday at 6:07 AM
Electronics
Vehicles
Property
Search
Reply to thread
Forums
General
News
CVE-2024-3094
Get the App
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Message
<blockquote data-quote="gnilukshi" data-source="post: 29703917" data-attributes="member: 132616"><p><h2>Background</h2><p>The Tenable Security Response Team has put together this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2024-3094, a backdoor in XZ Utils, a widely used compression library found in multiple Linux distributions.</p><p></p><h2>FAQ</h2><p><strong>What is XZ Utils and what is the library used for?</strong></p><p></p><p>XZ is a type of lossless data compression on Unix-like operating systems, which is often compared to other common data compression formats such as gzip and bzip2. XZ Utils is a command line tool that contains functionality for both compression and decompression of XZ files and <a href="https://xz.tukaani.org/xz-utils/liblzma-api/" target="_blank"><u>liblzma</u></a>, a zlib-like API used for data compression and also supports the legacy .lzma format.</p><p></p><p><strong>How was this backdoor discovered?</strong></p><p></p><p>On March 29, Andres Freund, a PostgreSQL developer at Microsoft, posted on the <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4" target="_blank"><u>Open Source Security Mailing List</u></a> that he had discovered a supply-chain compromise involving obfuscated malicious code in the XZ package while investigating SSH performance issues. According to both Freund and RedHat, the malicious code is not present in the Git distribution for XZ and only in the full download package.</p><p></p><p><strong>Which versions of the library are affected?</strong></p><p></p><p>According to Freund, XZ Utils versions 5.6.0 and 5.6.1 are impacted.</p><p></p><p><strong>Has this backdoor code been exploited?</strong></p><p></p><p>No information regarding exploitation has been observed for this backdoor code as of March 29. Because this situation is still developing, we anticipate more information will come to light in the coming days and weeks. We will update this portion of the FAQ once such information is available.</p><p></p><p><strong>What is the impact of this backdoor?</strong></p><p></p><p>According to Red Hat, the malicious code modifies functions within the liblzma code, which is part of the XZ Utils package. This modified code can then be used by any software linked to the XZ library and allow for the interception and modification of data used with the library. In the example observed by Freund, under certain conditions, this backdoor could allow a malicious actor to “break sshd authentication,” allowing the attacker to gain access to an affected system.</p><p></p><p><strong>Is there a CVE assigned for this issue?</strong></p><p></p><p>Yes, Red Hat assigned <a href="https://www.tenable.com/cve/CVE-2024-3094" target="_blank"><u>CVE-2024-3094</u></a> for this issue and it has been given a CVSSv3 score of 10.0.</p><p></p><p><strong>How was this backdoor inserted into the code?</strong></p><p></p><p>At the time this blog was published, it’s unclear how this backdoor code was placed into the affected builds of XZ utils. According to Freund, it's likely the individual who made the code commits is directly involved with the XZ project or had their system or developer account compromised.</p><p></p><p><strong>What Linux distributions are affected?</strong></p><p></p><p>As of the time this blog was published on March 29, the following distributions are known to be affected:</p><p></p><table style='width: 100%'><tr><th>OS</th><th>Package name</th><th>Package version(s)</th><th>Fix package version</th><th>Reference</th></tr><tr><td>Fedora 40, Rawhide</td><td>xz</td><td>5.6.0, 5.6.1</td><td>Revert to 5.4.x</td><td><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank">Details</a></td></tr><tr><td>Debian unstable (Sid)</td><td>xz-utils</td><td>5.6.1</td><td>Revert to 5.4.5</td><td><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank">Details</a></td></tr><tr><td>Alpine edge</td><td>xz</td><td>5.6.1-r2</td><td>Revert to 5.4.x</td><td><a href="https://pkgs.alpinelinux.org/package/edge/main/x86/xz" target="_blank">Details</a></td></tr><tr><td>Arch Linux</td><td>xz</td><td>5.6.0-1, 5.6.1-1</td><td>Upgrade to 5.6.1-2</td><td><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank">Details</a></td></tr><tr><td>openSUSE Tumbleweed<br /> openSUSE MicroOS</td><td>xz</td><td>5.6.0</td><td>Revert to 5.4.x</td><td><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank">Details</a></td></tr></table> <table style='width: 100%'><tr><td></td><td></td><td></td></tr></table><p>Additionally, the macOS Homebrew package manager reverted its version of xz from 5.6.x to 5.4.6. Bo Anderson, a member of the technical steering committee and a maintainer of Homebrew, <a href="https://github.com/orgs/Homebrew/discussions/5243" target="_blank"><u>confirmed</u></a> that they do not believe Homebrew’s builds “were compromised” but because these versions of xz are not considered trustworthy, they have chosen to force downgrades “as a precaution.”</p><p></p><p>As this is a developing situation, we anticipate we will have further clarity for additional Linux distributions soon and will continue to update this blog as necessary.</p><p></p><p><strong>Are patches or mitigations available?</strong></p><p></p><p>Both developers and users of XZ Utils are advised to downgrade to known, unaffected versions of XZ Utils, such as 5.4.6 Stable. However, in addition to downgrading, it is strongly advised that developers and users conduct incident response to determine if they have been impacted as a result of this backdoor and to share “positive findings” with agencies like the Cybersecurity and Infrastructure Security Agency (<a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094" target="_blank"><u>CISA</u></a>). You can check your installed version by running the command ‘<em><strong>xz -V</strong></em>’ or ‘<em><strong>xz –version</strong></em>’.</p><p></p><p><img src="https://www.tenable.com/sites/default/files/images/blog/fa987ce6-a171-4c2b-87e1-9fc81fc42e70.png" alt="Example command line output to check which versions of XZ Utils and liblzma are installed." class="fr-fic fr-dii fr-draggable " style="" /></p><p> </p><p></p><p><strong>Has Tenable released any product coverage for these vulnerabilities?</strong></p><p></p><p>As of March 29, Tenable Research is investigating product coverage. A list of Tenable plugins for this vulnerability can be found on the individual CVE page for <a href="https://www.tenable.com/cve/CVE-2024-3094/plugins" target="_blank"><u>CVE-2024-3094</u></a> as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our <a href="https://www.tenable.com/plugins/pipeline" target="_blank"><u>Plugins Pipeline</u></a>.</p></blockquote><p></p>
[QUOTE="gnilukshi, post: 29703917, member: 132616"] [HEADING=1]Background[/HEADING] The Tenable Security Response Team has put together this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2024-3094, a backdoor in XZ Utils, a widely used compression library found in multiple Linux distributions. [HEADING=1]FAQ[/HEADING] [B]What is XZ Utils and what is the library used for?[/B] XZ is a type of lossless data compression on Unix-like operating systems, which is often compared to other common data compression formats such as gzip and bzip2. XZ Utils is a command line tool that contains functionality for both compression and decompression of XZ files and [URL='https://xz.tukaani.org/xz-utils/liblzma-api/'][U]liblzma[/U][/URL], a zlib-like API used for data compression and also supports the legacy .lzma format. [B]How was this backdoor discovered?[/B] On March 29, Andres Freund, a PostgreSQL developer at Microsoft, posted on the [URL='https://www.openwall.com/lists/oss-security/2024/03/29/4'][U]Open Source Security Mailing List[/U][/URL] that he had discovered a supply-chain compromise involving obfuscated malicious code in the XZ package while investigating SSH performance issues. According to both Freund and RedHat, the malicious code is not present in the Git distribution for XZ and only in the full download package. [B]Which versions of the library are affected?[/B] According to Freund, XZ Utils versions 5.6.0 and 5.6.1 are impacted. [B]Has this backdoor code been exploited?[/B] No information regarding exploitation has been observed for this backdoor code as of March 29. Because this situation is still developing, we anticipate more information will come to light in the coming days and weeks. We will update this portion of the FAQ once such information is available. [B]What is the impact of this backdoor?[/B] According to Red Hat, the malicious code modifies functions within the liblzma code, which is part of the XZ Utils package. This modified code can then be used by any software linked to the XZ library and allow for the interception and modification of data used with the library. In the example observed by Freund, under certain conditions, this backdoor could allow a malicious actor to “break sshd authentication,” allowing the attacker to gain access to an affected system. [B]Is there a CVE assigned for this issue?[/B] Yes, Red Hat assigned [URL='https://www.tenable.com/cve/CVE-2024-3094'][U]CVE-2024-3094[/U][/URL] for this issue and it has been given a CVSSv3 score of 10.0. [B]How was this backdoor inserted into the code?[/B] At the time this blog was published, it’s unclear how this backdoor code was placed into the affected builds of XZ utils. According to Freund, it's likely the individual who made the code commits is directly involved with the XZ project or had their system or developer account compromised. [B]What Linux distributions are affected?[/B] As of the time this blog was published on March 29, the following distributions are known to be affected: [TABLE] [TR] [TH]OS[/TH] [TH]Package name[/TH] [TH]Package version(s)[/TH] [TH]Fix package version[/TH] [TH]Reference[/TH] [/TR] [TR] [TD]Fedora 40, Rawhide[/TD] [TD]xz[/TD] [TD]5.6.0, 5.6.1[/TD] [TD]Revert to 5.4.x[/TD] [TD][URL='https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users']Details[/URL][/TD] [/TR] [TR] [TD]Debian unstable (Sid)[/TD] [TD]xz-utils[/TD] [TD]5.6.1[/TD] [TD]Revert to 5.4.5[/TD] [TD][URL='https://security-tracker.debian.org/tracker/CVE-2024-3094']Details[/URL][/TD] [/TR] [TR] [TD]Alpine edge[/TD] [TD]xz[/TD] [TD]5.6.1-r2[/TD] [TD]Revert to 5.4.x[/TD] [TD][URL='https://pkgs.alpinelinux.org/package/edge/main/x86/xz']Details[/URL][/TD] [/TR] [TR] [TD]Arch Linux[/TD] [TD]xz[/TD] [TD]5.6.0-1, 5.6.1-1[/TD] [TD]Upgrade to 5.6.1-2[/TD] [TD][URL='https://archlinux.org/news/the-xz-package-has-been-backdoored/']Details[/URL][/TD] [/TR] [TR] [TD]openSUSE Tumbleweed openSUSE MicroOS[/TD] [TD]xz[/TD] [TD]5.6.0[/TD] [TD]Revert to 5.4.x[/TD] [TD][URL='https://news.opensuse.org/2024/03/29/xz-backdoor/']Details[/URL][/TD] [/TR] [/TABLE] [TABLE] [TR] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Additionally, the macOS Homebrew package manager reverted its version of xz from 5.6.x to 5.4.6. Bo Anderson, a member of the technical steering committee and a maintainer of Homebrew, [URL='https://github.com/orgs/Homebrew/discussions/5243'][U]confirmed[/U][/URL] that they do not believe Homebrew’s builds “were compromised” but because these versions of xz are not considered trustworthy, they have chosen to force downgrades “as a precaution.” As this is a developing situation, we anticipate we will have further clarity for additional Linux distributions soon and will continue to update this blog as necessary. [B]Are patches or mitigations available?[/B] Both developers and users of XZ Utils are advised to downgrade to known, unaffected versions of XZ Utils, such as 5.4.6 Stable. However, in addition to downgrading, it is strongly advised that developers and users conduct incident response to determine if they have been impacted as a result of this backdoor and to share “positive findings” with agencies like the Cybersecurity and Infrastructure Security Agency ([URL='https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094'][U]CISA[/U][/URL]). You can check your installed version by running the command ‘[I][B]xz -V[/B][/I]’ or ‘[I][B]xz –version[/B][/I]’. [IMG alt="Example command line output to check which versions of XZ Utils and liblzma are installed."]https://www.tenable.com/sites/default/files/images/blog/fa987ce6-a171-4c2b-87e1-9fc81fc42e70.png[/IMG] [B]Has Tenable released any product coverage for these vulnerabilities?[/B] As of March 29, Tenable Research is investigating product coverage. A list of Tenable plugins for this vulnerability can be found on the individual CVE page for [URL='https://www.tenable.com/cve/CVE-2024-3094/plugins'][U]CVE-2024-3094[/U][/URL] as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our [URL='https://www.tenable.com/plugins/pipeline'][U]Plugins Pipeline[/U][/URL]. [/QUOTE]
Insert quotes…
Verification
Payakata winadi keeyak tibeda?
Post reply
Top
Bottom