【知道创宇404实验室】警惕Linux生态xz-utils软件包被攻击并植入后门（CVE-2024-3094）

2024年3月29日，有国外安全人员宣称在xz-utils软件包5.6.0到5.6.1版本中，存在被供应链攻击并植入后门风险（https://www.openwall.com/lists/oss-security/2024/03/29/4）。该后门可能会允许恶意行为者破坏sshd身份验证，从而允许对整个系统进行远程未经授权的访问。由于库的使用如此广泛，因此该漏洞的严重性对整个Linux生态系统构成了威胁。

目前各个相关操作系统发布了相关安全公告，目前确定可能受影响的操作系统有：Fedora Rawhide、Fedora 41、Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1. 、openSUSE Tumbleweed and openSUSE MicroOS、Kali Linux、Arch Linux、Alpine等等。

Fedora Rawhide

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Fedora 41

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.

https://lists.debian.org/debian-security-announce/2024/msg00057.html

openSUSE Tumbleweed and openSUSE MicroOS

https://news.opensuse.org/2024/03/29/xz-backdoor/ 3月7日至3月28日期间，Tumbelweed 和 MicroOS 中包含了xz的后门版本

Kali Linux

https://www.kali.org/blog/about-the-xz-backdoor/ 该后门影响Kali的时间为3月26日至3月29日，期间xz-utils 5.6.0-0.2可用

Arch Linux

https://archlinux.org/news/the-xz-package-has-been-backdoored/

Alpine edge

https://pkgs.alpinelinux.org/package/edge/main/x86/xz

我们再次建议相关操作系统用户注意检查系统安全，避免安全风险。可以使用"xz -V或"xz –version"来检查已安装xz-utils的版本。

也可以使用如下脚本进行自查：

#!/bin/bash

# script to detect CVE-2024-3094

# original script:
# https://www.openwall.com/lists/oss-security/2024/03/29/4

# modified (fixed and features added) by cyclone
# https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh

# tested on debian

# https://nvd.nist.gov/vuln/detail/CVE-2024-3094
# https://github.com/advisories/GHSA-rxwq-x6h5-x525

# v1.0.0; 2024-03-29

set -eu

clear

echo "Checking system for CVE-2024-3094 Vulnerability..."
echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"

# find path to liblzma used by sshd
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
sshd_path=$(whereis -b sshd | awk '{print $2}')
path=$(ldd "$sshd_path" 2>/dev/null | grep liblzma | awk '{print $3}' | head -n 1)

if [ -z "$path" ]; then
echo
echo "Probably not vulnerable (liblzma not found)"
exit
fi

# check for function signature
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
echo
echo "Checking for function signature in liblzma..."
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then
echo "Function signature in liblzma: VULNERABLE"
else
echo "Function signature in liblzma: OK"
fi

# check xz version
xz_version=$(xz --version | head -n1 | awk '{print $4}')
pwn_version="5.6.0"
echo
echo "Checking xz version..."
if [[ "$(printf '%sn' "$xz_version" "$pwn_version" | sort -V | head -n1)" == "$pwn_version" ]]; then
echo "xz version $xz_version: VULNERABLE"
else
echo "xz version $xz_version: OK"
fi