By LBT Technology Group, LLC. on Tuesday, 09 April 2024
Category: Security

XZ Utils supply chain vulnerability

Threat update

A supply chain vulnerability was found in XZ Utils that creates a backdoor into OpenSSH and can lead to remote code execution (RCE). Read this Cybersecurity Threat Advisory to learn about this supply chain vulnerability and how to reduce your risks. 

Technical Detail and Additional Info

What is the threat?

XZ Utils is a command line tool that can implement the liblzma compression and decompression algorithms. The vulnerability (CVE-2024-3094) was initially stated as an SSH authentication bypass backdoor, however, later it was discovered that it is also a remote code execution (RCE) vulnerability that affects OpenSSH. The threat is only exploitable by the threat actor as it uses a private key held by the actor.

The threat actor contributed to the XZ Utils project for two years to gain container responsibilities. With additional permission, the bad actor was able to include the malicious code in the tarball release's source code. The vulnerable code was hidden during the build process of dependent projects. During the build process, files were extracted and unencrypted then compiled into liblzma. It was then loaded into SSHD during its startup via Systemd and patched OpenSSH to support system notifications. 

Why is it noteworthy?

The execution of this supply chain attack is one of the best to-date. Itillustrates how sophisticated attacks has downstream dependencies. A single experienced individual gained the trust of a community, achieved commit permissions and manager rights, to include malicious code in distributions. The threat actor knew how to hide malicious codeto easily bypass discovery. Thisvulnerability could have been more impactful and devastating than SolarWinds supply chain attack.

What is the exposure or risk?

What are the recommendations?

 LBT Technology Group, LLC. recommends the following preventative steps to minimize the risks and strengthen the security posture:

References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.

Related Posts

Leave Comments