How did the attackers manage to outsmart the developer community?
A hidden backdoor was recently discovered in the popular data compression utility XZ Utils, which is widely used on Linux systems. The issue identified as CVE-2024-3094 allows you to bypass OpenSSH authentication, which threatens the security of many systems.
Initially, it was assumed that a maliciously implemented backdoor allows you to simply bypass the SSH authentication process, but a deeper analysis revealed that it makes it possible to execute arbitrary code without traces in the sshd logs. An attacker can execute code at the stage before privileges are reset by the sshd process, using a fixed-key signature.
To activate the backdoor, the standard SSH host key exchange mechanism is used, which responds exclusively to the key prepared by attackers. If the signature does not match or data integrity is not confirmed, the backdoor is not activated, returning control to normal SSH functions.
The uniqueness of this malware is that without access to the attacker's private key, it becomes impossible to activate the backdoor for external use. Moreover, a feature was discovered that allows you to neutralize the backdoor if a certain environment variable is set before starting sshd. This opens the way to protect against this threat without the need to completely remove the backdoor from the product code.
A detailed analysis showed that complex shell scripts were used to mask the malware, replacing characters and extracting executable code for subsequent integration into liblzma. This process included the use of the RC4 algorithm and the plugin engine, allowing you to update malicious code without changing the source archives.
The malicious code was discovered completely by accident during reverse engineering by Andres Freund, a PostgreSQL developer at Microsoft, who noticed a slight slowdown in the SSH authorization process on his old computer.
As it turned out, the malware was introduced into the xz utility quite recently, starting with version 5.6.0, thanks to edits aimed at "improving the operation of the utility". These edits were suggested from a fake GitHub account that was specially stuffed with "junk projects" to create an impression of its legitimacy. Experts are sure that the process of covert integration of malicious code was prepared for more than one year, and the attackers pursued far-reaching goals.
Red Hat, a leading developer of Linux-based systems, said that it has already taken appropriate measures to fix the vulnerability in Fedora systems. At the same time, Red Hat Enterprise Linux (RHEL) versions were not affected by the identified vulnerability.
Other distributions, including SUSE and Debian, have also taken the necessary steps to protect their users by releasing updates to fix the issue. It is noted that none of the stable versions of Debian were affected, but compromised packages were found in test and unstable builds.
Security experts emphasize the importance of careful monitoring of software supply chains and prompt response to security threats. The joint efforts of Red Hat, CISA and other organizations allowed minimizing the potential risk from the identified vulnerability.
To protect against potential threats, we recommend downgrading the XZ Utils version to proven, secure versions, such as XZ Utils 5.4.6 Stable. Users and developers are also advised to monitor their systems for any malicious activity and report threats immediately.
A hidden backdoor was recently discovered in the popular data compression utility XZ Utils, which is widely used on Linux systems. The issue identified as CVE-2024-3094 allows you to bypass OpenSSH authentication, which threatens the security of many systems.
Initially, it was assumed that a maliciously implemented backdoor allows you to simply bypass the SSH authentication process, but a deeper analysis revealed that it makes it possible to execute arbitrary code without traces in the sshd logs. An attacker can execute code at the stage before privileges are reset by the sshd process, using a fixed-key signature.
To activate the backdoor, the standard SSH host key exchange mechanism is used, which responds exclusively to the key prepared by attackers. If the signature does not match or data integrity is not confirmed, the backdoor is not activated, returning control to normal SSH functions.
The uniqueness of this malware is that without access to the attacker's private key, it becomes impossible to activate the backdoor for external use. Moreover, a feature was discovered that allows you to neutralize the backdoor if a certain environment variable is set before starting sshd. This opens the way to protect against this threat without the need to completely remove the backdoor from the product code.
A detailed analysis showed that complex shell scripts were used to mask the malware, replacing characters and extracting executable code for subsequent integration into liblzma. This process included the use of the RC4 algorithm and the plugin engine, allowing you to update malicious code without changing the source archives.
The malicious code was discovered completely by accident during reverse engineering by Andres Freund, a PostgreSQL developer at Microsoft, who noticed a slight slowdown in the SSH authorization process on his old computer.
As it turned out, the malware was introduced into the xz utility quite recently, starting with version 5.6.0, thanks to edits aimed at "improving the operation of the utility". These edits were suggested from a fake GitHub account that was specially stuffed with "junk projects" to create an impression of its legitimacy. Experts are sure that the process of covert integration of malicious code was prepared for more than one year, and the attackers pursued far-reaching goals.
Red Hat, a leading developer of Linux-based systems, said that it has already taken appropriate measures to fix the vulnerability in Fedora systems. At the same time, Red Hat Enterprise Linux (RHEL) versions were not affected by the identified vulnerability.
Other distributions, including SUSE and Debian, have also taken the necessary steps to protect their users by releasing updates to fix the issue. It is noted that none of the stable versions of Debian were affected, but compromised packages were found in test and unstable builds.
Security experts emphasize the importance of careful monitoring of software supply chains and prompt response to security threats. The joint efforts of Red Hat, CISA and other organizations allowed minimizing the potential risk from the identified vulnerability.
To protect against potential threats, we recommend downgrading the XZ Utils version to proven, secure versions, such as XZ Utils 5.4.6 Stable. Users and developers are also advised to monitor their systems for any malicious activity and report threats immediately.
