# CVE-2024-3094 XZ Utils vulnerability research collaboration workspace
This is an unofficial HackMD workspace for the research of the infamous CVE-2024-3094 vulnerability.
<https://hackmd.io/@cve-2024-3094/home>
:::info
This platform is based on [HackMD](https://hackmd.io)'s Book Mode, please refer the [Book example](https://hackmd.io/book-example) and the tutorial below for help on editing.
Click the <span style="padding: 1px 1.5px 3px 3.5px; background: white; border-radius: 5px; margin: 0px 4px;"><i class="fa fa-pencil fa-fw"></i></span> button at the navigation bar to start editing.
:::
:::warning
**Disclaimer:**
* This work is NOT endorsed NOR maintained by the XZ Utils upstream project.
* This work may reference materials that may compromise your computer's security, use it at your own risk.
* This work shall NOT be used as a basis for doxxing any person/entity/nation. Currently it is uncertain who is actually behind this operation, **any research on specific individuals are merely to investigate on the matter instead of accusations of they are conducting this attack.**
* This work is initiated by [林博仁(Buo-ren Lin)](https://brlin.tw/), contact <buo.ren.lin+cve@gmail.com> for matters related to this work that require my attention.
:::
:::danger
Contributing content to this work **implies that you agree to waive your copyright and release your content to the Public Domain** under the full extent of the law.
:::
* [Homepage🏠](https://hackmd.io/@cve-2024-3094/home)
<!--
Tips:
* Place the text insertion indicator to the right square bracket's left side, and you can directly create a new page with the title.
* Some Web content are not able to displayed at the right side of the iframe due to safety restrictions of the referred website, you may append `[target=_blank]` to the links to set these content to be forced loaded in a new browser tab/window.
-->
## Generic information❓
* [XZ Utils backdoor - Wikipedia](https://en.wikipedia.org/wiki/XZ_Utils_backdoor)
* [oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise](https://www.openwall.com/lists/oss-security/2024/03/29/4)
The mailing list thread that disclosed the vulnerability to the public.
* [research!rsc: Timeline of the xz open source attack](https://research.swtch.com/xz-timeline)
An event timeline of the incident made by Russ Cox.
* [XZ Utils backdoor](https://tukaani.org/xz-backdoor/)
Notice from the XZ Utils upstream project
* [FAQ on the xz-utils backdoor](https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27) [target=_blank]
An F.A.Q. post endorsed by the upstream project(as indicated by their IRC channel's topic string).
* [XZ Outbreak (CVE-2024-3094)](https://twitter.com/fr0gger_/status/1774342248437813525) [target=_blank]
Infographic that explains this vulnerability in simple terms by Thomas Roccia.
* [CVE-2024-3094 | CVE Record | CVE](https://www.cve.org/CVERecord?id=CVE-2024-3094) [target=_blank]
CVE vulnerability database entry.
* [NVD - CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094) [target=_blank]
NVD vulnerability database entry.
## Security advisories❗
* [CVE-2024-3094 | Ubuntu](https://ubuntu.com/security/CVE-2024-3094) [target=_blank]
From the Ubuntu GNU/Linux distribution.
* [[SECURITY] [DSA 5649-1] xz-utils security update](https://lists.debian.org/debian-security-announce/2024/msg00057.html) [target=_blank]
From the Debian GNU/Linux distribution.
+ [CVE-2024-3094 | Debian Security Bug Tracker](https://security-tracker.debian.org/tracker/CVE-2024-3094) [target=_blank]
Corresponding Debian security tracker entry.
* [CVE-2024-3094 - Red Hat Customer Portal](https://access.redhat.com/security/cve/CVE-2024-3094) [target=_blank]
From the Red Hat Enterprise Linux(RHEL) GNU/Linux distribution.
* [Urgent security alert for Fedora 41 and Fedora Rawhide users](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users) [target=_blank]
From the Fedora GNU/Linux distribution.
* [CVE-2024-3094 Common Vulnerabilities and Exposures | SUSE](https://www.suse.com/security/cve/CVE-2024-3094.html) [target=_blank]
From the SUSE Linux Enterprise/OpenSUSE GNU/Linux distribution.
* [928134 – (CVE-2024-3094) >=app-arch/xz-utils-5.6.0: backdoor in release tarballs](https://bugs.gentoo.org/show_bug.cgi?id=CVE-2024-3094) [target=_blank]
From the Gentoo GNU/Linux distribution.
* [All about the xz-utils backdoor | Kali Linux Blog](https://www.kali.org/blog/about-the-xz-backdoor/)
From the Kali Linux GNU/Linux distribution.
* [[ASA-202403-1] xz: arbitrary code execution - Arch Linux](https://security.archlinux.org/ASA-202403-1) [target=_blank]
From the Arch Linux GNU/Linux distribution.
+ [Arch Linux - News: The xz package has been backdoored](https://archlinux.org/news/the-xz-package-has-been-backdoored/) [target=_blank]
Additional information.
* [[DEV] Security Advisory for xz-utils Package : r/termux](https://www.reddit.com/r/termux/comments/1br1jdq/dev_security_advisory_for_xzutils_package/)
From the Termux mobile application/software distribution, credits to askorbinovaya_kislota@Matrix for giving the pointers.
* [Malicious code was discovered in the upstream tarballs of... · CVE-2024-3094 · GitHub Advisory Database](https://github.com/advisories/GHSA-rxwq-x6h5-x525) [target=_blank]
From GitHub.
* [Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 | CISA](https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094) [target=_blank]
From the United States goverment.
* [CVE-2024-3094 - Security Bulletins - Amazon Web Services (AWS)](https://aws.amazon.com/security/security-bulletins/AWS-2024-002/) [target=_blank]
From Amazon Web Services (AWS).
## Prevention for future projects💉
* [Consider hardening check_c_source_compiles (#25846) · Issues · CMake / CMake · GitLab](https://gitlab.kitware.com/cmake/cmake/-/issues/25846) [target=_blank]
Discussions on how to mitigate the risk of tampering attempts for the `check_c_source_compiles` CMake directive.
* [Xz format inadequate for long-term archiving](https://www.nongnu.org/lzip/xz_inadequate.html)
Mitigate the risk by avoiding to use the XZ archival/compression format in the first place, as there are (according to lzip author) many problems with-in the format.
## Vulnerability mitigation efforts💊
* [#1068024 - revert to version that does not contain changes by bad actor - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024)
From the Debian GNU/Linux operating system distribution.
* [xz-unscathed - Fork of xz from before the involvement of the attacker who backdoored it](https://git.joeyh.name/index.cgi/xz-unscathed/)
A third-party XZ Utils fork that drops all the involvement of the potential evil actor(s) by Joey Hess.
## Reverse engineering efforts 🔍⛏
* [Everything I know about the XZ backdoor](https://boehs.org/node/everything-i-know-about-the-xz-backdoor)
Authored by Evan Boehs
* [q3k :blobcatcoffee:: "I have managed to to extract a list of encoded strings within the liblzma/xz backdoor payload…" - Warsaw Hackerspace Social Club](https://social.hackerspace.pl/@q3k/112184695043115759) [target=_blank]
+ [liblzma backdoor strings extracted from 5.6.1 (from a built-in trie)](https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01#file-hashes-txt-L115) [target=_blank]
+ [zeno: "@q3k I got too curious about what that weird string was so I did a test, seems to just "defuse" the backdoor as running sshd with it makes it exit much faster than without." - Piaille](https://piaille.fr/@zeno/112185928685603910) [target=_blank]
* [Home · Midar/xz-backdoor-documentation Wiki](https://github.com/Midar/xz-backdoor-documentation/wiki) [target=_blank]
Collaboration research wiki created by Jonathan Schleifer
* [[WIP] XZ Backdoor Analysis and symbol mapping](https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504)
Provide proper names for the faked function symbols of the injected binary.
* [Filippo Valsorda: "I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission. The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system(). It's RCE, not auth bypass, and gated/unreplayable." — Bluesky](https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b) [target=_blank]
Explains how the vulnerability is actually exploited over SSH.
* [xz/liblzma: Bash-stage Obfuscation Explained - gynvael.coldwind//vx.log](https://gynvael.coldwind.pl/?lang=en&id=782)
* [Cyberstorm.mu blog: xz without seatbelts ?](https://cyberstormdotmu.blogspot.com/2024/03/xz-without-seatbelts.html)
Explains the Landlock sandboxing sabotage effort by Jia Tan.
* [modify_ssh_rsa_pubkey.py](https://gist.github.com/keeganryan/a6c22e1045e67c17e88a606dfdf95ae4)
* [X 上的 ruby nealon:「The setup behind the CVE-2024-3094 supply-chain attack is fascinating. I originally wanted to finish and share a tool to audit other OSS projects for anomalous contributor behavior, but I feel what I found trying to MVP it is way more interesting. 🧵 1/25 https://t.co/Mc7GTfAnca https://t.co/73fpPjrVYa」 / X](https://twitter.com/_ruby/status/1774073953440747664) [target=_blank]
* [GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)](https://github.com/amlweems/xzbot) [target=_blank]
Notes regarding how the vulnerability being exploited and a honeypot implementation to record the exact exploitation.
## Potential evil actor identity research efforts🔍🧟
* [clickhouse has pretty good github_events dataset on playground that folks can use to do some research - some info on the dataset... | Hacker News](https://news.ycombinator.com/item?id=39870048) [target=_blank]
* [X 上的 1nternaut:「I found a x/twitter user associated with "jiat0218@gmail.com" by leveraging x/twitter's password reset function: https://t.co/rQnl92oOSV #XZUtils https://t.co/H6HhIYjkaL」 / X](https://twitter.com/1nternaut/status/1774160687473815613) [target=_blank]
Reveals a X(Twitter) account that is bound with the committer's e-mail address.
+ [カドウ (@jiat75107) / X](https://twitter.com/jiat75107) [target=_blank]
The X(Twitter) account that is bound with the committer's e-mail address.
* [XZ Backdoor: Times, damned times, and scams](https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and) [target=_blank]
Research on the (assumed to be) evil actor's work time by Rhea Karty and Simon Henniger.
* [Social engineering aspect of the XZ incident | Securelist](https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/)
Details the social engineering attacks occurred in this incident.
## Changes made by potential evil actor🩹🧟
* [git.tukaani.org - xz.git/commitdiff - Build: Fix Linux Landlock feature test in Autotools and CMake builds. by Jia Tan](https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7)
This change sneaks a minor change(The "+." line of the CMakeLists.txt file) that intentionally breaks the Linux Landlock sandboxing support.
## Discussion channels💬
* [The Tukaani project’s IRC channel](https://tukaani.org/contact.html#_irc)
The XZ Utils upstream project's IRC channel.
* [XZ Backdoor Reversing](https://www.openwall.com/lists/oss-security/2024/03/30/26)
A bridged-together Matrix/IRC/Discord chat rooms focusing on reverse engineering coordination by Jonathan Schleifer.
<!--
## Media Resource Kit🎨📷📹
Here are the collection some re-usable media materials, **please respect the rights of the material holders and only use them under the fair use principle**
* [Picture Resources]
* [Video Resources]
-->
## Media coverage📺📰
* [A backdoor in xz [LWN.net]](https://lwn.net/Articles/967180/) [target=_blank]
* [Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros | The Hacker News](https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html)
* [Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094) - Help Net Security](https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/)
* [XZ Utils庫驚爆後門,多個Linux版本受害!駭客可遠端取得系統控制權,Information Security 資安人科技網](https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=11015&mod=1)
Taiwanese IT media report, only providing generic information of the incident.
* [有人(疑似中共技术特工)向基础软件投毒植入后门,已有Linux中招,少数MacOS用户受影响 - 新·品葱](https://www.pincong.rocks/article/70394) [target=_blank]
Chinese article explaining this incident, and suspecting it may be a China state-sponsored attack.
* [使用SSHD連接到系統的用戶當心!因為駭客供應鏈攻擊鎖定XZ Utils庫植入隱密後門,多個Linux發行版受影響 | iThome](https://www.ithome.com.tw/news/162040) [target=_blank]
Taiwanese IT media report, only providing generic information of the incident.
* [[安全警告] xz 和 liblzma 5.6.0~5.6.1 版本上游被植入后门,影响所有 x64 架构 Linux 和 macOS - V2EX](https://web.archive.org/web/20240330083006/https://www.v2ex.com/t/1028288) [target=_blank]
Chinese article explaining this incident, including logic reverse-engineered from the malicious injected payload.
* [xz爆出10分的核弹级漏洞,开源社区的仓库都被炸没了 - 知乎](https://zhuanlan.zhihu.com/p/689992369) [target=_blank]
Another Chinese explaining this incident, generic information.
## Usage help📖
* [HackMD Tutorial Book](https://hackmd.io/c/tutorials)
Explains basic usage of HackMD.
* [Book Mode example](https://hackmd.io/book-example)
Explains how to make changes to a HackMD book mode note.
* [Daring Fireball: Markdown Syntax Documentation](https://daringfireball.net/projects/markdown/syntax)
Explains the original Markdown markup syntax.
* [CommonMark Spec](https://spec.commonmark.org/current/)
Explains the CommonMark Markdown markup syntax(which is used by HackMD).
* [GitHub Flavored Markdown Spec](https://github.github.com/gfm/)
Explains common extensions to the Markdown syntax.
* [ikatyang/emoji-cheat-sheet: A markdown version emoji cheat sheet](https://github.com/ikatyang/emoji-cheat-sheet) [target=_blank]
For small cliparts to show in the section names.
* [Full Emoji List](https://unicode.org/emoji/charts/full-emoji-list.html)
For small cliparts to show in the section names.
## Learning📚
* [How to extract the malware payload :hourglass:](/dW5eFP1LR_C3TL9T026UnQ)
## Powered By🔌
* [HackMD](https://hackmd.io/)
The platform hosting this workspace.
* [HackMD Disaster Information Integration Platform Template](https://bit.ly/disaster-information-integration-platform-template-hackmd)
The template this workspace is based on.
And you!
{"description":"This is an unofficial HackMD workspace for the research of the infamous CVE-2024-3094 vulnerability.","title":"Home | CVE-2024-3094 XZ Utils vulnerability research collaboration workspace","showTags":"true","lang":"en-US","breaks":false,"contributors":"[{\"id\":\"62aab908-4afa-4059-813c-f855a82c2b1d\",\"add\":21203,\"del\":9301}]"}
CVE-2024-3094 XZ Utils vulnerability research collaboration workspace
Mitigate the risk by avoiding to use the XZ archival/compression format in the first place, as there are (according to lzip author) many problems with-in the format.