Microsoft, today, published its guidance and advisory on the XZ Utils backdoor vulnerability, identified by CVE-2024-3094. This security vulnerability is a major flaw with a CVSS (Common Vulnerability Scoring System) score of 10.0 and affects several Linux distros, namely Fedora, Kali Linux, OpenSUSE, and Alpine, and could have had a massive global impact.
Luckily, the vulnerability was accidentally discovered in time by a Microsoft Linux developer, Andres Freund, who was curious as to why there was a 500 ms delay in SSH (Secure Shell) port connections, only to uncover a malicious backdoor that had been embedded in the XZ file compressor.
So far, at the time of writing, VirtusTotal only lists four security vendors out of 63, including Microsoft, that are correctly detecting the exploit as harmful.
Hence, the eagle-eyed nature of the Microsoft engineer has to be praised in this instance as it is likely that many would not have bothered looking into it. The incident also highlights how open-source software can be exploited by harmful actors.
In case you are wondering, versions 5.6.0 and 5.6.1 of XZ Utils are compromised and the official recommendation by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is to use older safe versions.
As per the recommended guidance, to verify if a system has the vulnerable software, users can run the following command in SSH with administrator privileges:
xz --version
Third-party scanning and detection tools are also available. Security research firms Qualys and Binarly have published detection and scanner tools to detect if your system is affected.
Qualys has published VULNSIGS version 2.6.15-6 and marked the vulnerability under QID (Qualys Vulnerability Detection ID) "379548."
Meanwhile, Binarly has also released a free XZ backdoor scanner which upon detection of a compromised version of XZ Utils, the tool will throw up a "XZ malicious implant" detection message.
You can find more technical details related to the vulnerability on Binarly's and Qualys' websites.
22 Comments - Add comment