Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: CVE-2024-3094, A Backdoor In The Linux XZ Library Versions 5.6.0 & 5.6.1, Can Lead To SSH Authentication Bypass, Patch Immediately!
Image
Published : 02/04/2024
Reference:
Advisory #2024-46
Version:
1.0
Affected software:
XZ Utils Data Compression Library versions 5.6.0 and 5.6.1
Type:
Backdoor via malicious code, SSH authentication bypass
CVE/CVSS:
CVE-2024-3094:CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
Risks
CVE-2024-3094 is a backdoor in XZ Utils versions 5.6.0 and 5.6.1 which can lead to sshd authentication bypass. This can provide an attacker full access to affected systems and therefore has a high impact on confidentiality, integrity and availability.
Furthermore, a proof-of-concept has been published and the vulnerability is being actively exploited by malicious actors.
Description
Malicious code has been discovered in the upstream tarballs of XZ Utils, specifically versions 5.6.0 and 5.6.1. The following Linux distributions are affected:
- Kali Linux: vulnerable versions between March 26th and 29th
- openSUSE Tumbleweed and openSUSE MicroOS: vulnerable versions between March 7th and 28th
- Debian testing, unstable, and experimental versions: version 5.5.1alpha-0.1 to 5.6.1-1
- Fedora 41, but also Fedora 40 users are recommended to downgrade XZ Utils as a precaution
- Fedora Rawhide: development version
- Archlinux: xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1)
Recommended Actions
The Centre for Cybersecurity Belgium strongly recommends to upgrade XZ Utils to >5.6.1 or downgrade to a stable unaffected version <5.6.0 if not available.
Redhat advises to stop the usage of any Fedora Rawhide instances: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users.
SUSE has published a downgrade guide for openSUSE distribution users: https://build.opensuse.org/request/show/1163302
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://access.redhat.com/security/cve/CVE-2024-3094?extIdCarryOver=true&sc_cid=701f2000001OH6fAAG
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users