CVE-2024-3094 – Backdoored XZ Utils

TL:DR ALL linux systems use xz utils. If you are below 5.4.1 the JaiTan (Chinese) has not infected your system (yet).

SSH is a powerful tool that can be used as authentication with a password or an encryption key and once a session is established it is no different than sitting in front of the console. Not only that but you can create SSL tunnels to applications via redirects and easily sign on to other Linux host on the internal network. So if your SSH port is open on port 22 and you have XZ Utilities 5.6 or 5.6.1 installed you have a big issue and must take action right now

To check type this at the root command line

xz --version
xz (XZ Utils) 5.4.1
liblzma 5.4.1

Here is a blog post and excerpt from Rapid 7 that explains the vulnerability – https://www.rapid7.com/blog/post/2024/04/01/etr-backdoored-xz-utils-cve-2024-3094/

Last updated at Tue, 02 Apr 2024 18:56:29 GMT

On Friday, March 29, after investigating anomalous behavior in his Debian sid environment, developer Andres Freund contacted an open-source security mailing list to share that he had discovered an upstream backdoor in widely used command line tool XZ Utils (liblzma). The backdoor, added by an open-source committer who had been working on the tool for several years, affects XZ Utils versions 5.6.0 and 5.6.1. It has been assigned CVE-2024-3094.

According to Red Hat’s advisory –

“The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package

This was bought to our attention, this morning, by Dave Plummer after a Microsoft developer, Andres Freund, found the issue when he saw SSH was taking longer than usual to sign in.

All our internal systems and customer systems are clean and we do regular checks including root kit checks via RK Hunter.

Stay safe!