Product
Kenisha Liu
Mar 4, 2024
Fletch identified this vulnerability on 3/29/2024, shortly after the initial discovery, and private disclosure, on 3/28/2024. The vulnerability was also shared to Fletch's Twitter on 3/30/24 and Tik Tok on 4/2/24 with an update on 4/3/24. Utilizing NLP matching technology Fletch matched customer data to quickly identify environments vulnerable to CVE-2024-3094. This put Fletch customers about 5 days ahead of the major news cycle; allowing ample time for system remediation before attackers could make their move.
Fletch constantly monitors the threat landscape. The data in this guide is most up to date as of publication. Check out XZ Vulnerability Threat Board for any updates or join the waitlist.
There’s never been a supply chain attack quite like the XZ vulnerability. Estimates suggest up to 60-70% of internet-facing systems could have been vulnerable to the exploitation. The XZ vulnerability has worrying implications, and raises broader concerns about the security of open source software.
XZ vulnerability summary
On March 28th, a Microsoft Postgres developer discovered a significant delay in authentication responses for openSSH. This led to the exposure of the XZ vulnerability or CVE-2024-3094. The vulnerability stemmed from a sophisticated supply chain attack. The team maintaining the library had been infiltrated by malicious actors over an extended period.
The compromised versions of the XZ library were quickly identified, preventing widespread dissemination across major Linux distributions. However, some distributions with rapid software integration cycles were affected when the flaw was first detected. Fortunately, OVHcloud customers largely remained unscathed, as the vulnerable library versions were not included in Linux images provided for automated installation. However, users who manually installed susceptible distributions, used edge repositories, installed specific software packaging the vulnerable library version, or utilized alternative package managers might be at risk.
Key points:
Severity: Critical, Loud
Maturity: Mainstream
IOCs: CVE-2024-3094
Targets: Users of XZ library versions 5.6.0 and 5.6.1, most Linux users
Learn more about Fletch’s metrics in the Fletch Help Center.
XZ vulnerability breakdown
At the heart of the XZ vulnerability lies a seemingly innocuous open source library focused on data compression. Developed by a maintainer known as Gia Ten, the library gained widespread adoption across various open source projects, including the popular OpenSSL. Its ubiquity made it an attractive target for exploitation.
Spanning over a period from late 2021 to early 2024, the timeline of events leading to the XZ vulnerability is both fascinating and alarming. It began with the original maintainer, Gia Ten, struggling to garner support and contributions for the project. Sensing an opportunity, a nefarious actor, believed to be a nation-state threat group, offered assistance under the guise of a helpful contributor.
Over the course of months, this actor strategically maneuvered to gain control of the project, leveraging pressure tactics and legitimate code contributions to earn trust. Eventually, they succeeded in introducing malicious code into the library, which found its way into critical components like OpenSSL.
XZ vulnerability timeline:
2021: Jia Tan starts contributing to the xz-devel mailing list.
2022: Jia Tan's involvement with the xz compression library grows significantly. By mid-year, he had become a notable figure in the project. Pressure from other community members, potentially influenced by Tan himself, propelled his ascent within the project. By year's end, Tan had been added to the Tukaani organization on GitHub, a crucial step towards gaining maintainership.
2023: Tan strategically modifies the codebase, making subtle yet crucial changes to function selection processes and configurations, laying the groundwork for the impending backdoor insertion.
February 2024: The attack is launched with the integration of the hidden backdoor into the liblzma section of XZ. This backdoor posed a significant threat, allowing unauthenticated remote code execution. Major Linux distributors like Debian, Ubuntu, and Fedora are impacted. The compromised version spread rapidly through these distributions, with reports of crashes related to bugs. However, systems not linking sshd with libsystemd, such as Arch Linux, Gentoo, and NixOS, remained unscathed.
March 2024: The attack is detected on March 28, prompting a swift response from the open-source community. Distributions like Debian rolled back the compromised versions, mitigating the immediate threat.
XZ vulnerability tactics
One of the greatest concerns is the remote code execution capabilities of the XZ vulnerability. The exploited library potentially allows attackers unauthorized access to affected systems. This can lead to data theft, system manipulation, and insertion of malicious code for Linux and Unix-based companies.
Another significant tactic is the backdoor's ability to manipulate the SSH authentication processes. SSH, or Secure Shell, is a vital service used for secure communication and management of systems. Compromising it could result in a breakdown of the integrity and security of the entire system. An attacker could potentially gain extensive control over a system, remotely execute commands, and even move laterally across connected systems and networks.
This backdoor is particularly dangerous because of its subtle nature. It only activates under specific conditions, making it difficult to detect and likely unnoticed.
XZ Mitigation and Advice
To reduce potential risks, check your XZ library version and follow the distribution's security guidelines if you’re affected. These guidelines might involve limiting exposure of server administration interfaces, using a bastion for server administration, creating regular backups, and testing service rebuilds from those backups.
To determine if a system is running a compromised version of the XZ library, Linux administrators can run a straightforward shell script. If it detects versions 5.6.0 or 5.6.1, follow the protocol by the Cybersecurity & Infrastructure Security Agency (CISA). They recommend that developers and users downgrade their XZ library to a safe version, specifically version 5.4.6 and keep watch for suspicious activities on systems.
The impact of the XZ vulnerability:
The discovery of the XZ vulnerability not only exposed the vulnerability itself but also raised broader questions about the security of open source software. While supply chain attacks aren’t anything new, it’s never been done to this degree. These systems have been around for so long, that they’ve been hardened repeatedly and were long thought to be extremely secure. However, as threat actors get more and more sophisticated, they find ways to get around these things.
This points to a greater issue surrounding legacy security tools and traditional cybersecurity practices. They are reactive and slow. And, above all else, they have not evolved to adapt to modern practices.
Fletch customers were 5 days ahead of the XZ vulnerability.