# CVE-2024-3094 XZ Utils vulnerability research collaboration workspace This is an unofficial HackMD workspace for the research of the infamous CVE-2024-3094 vulnerability. <https://hackmd.io/@cve-2024-3094/home> :::info This platform is based on [HackMD](https://hackmd.io)'s Book Mode, please refer the [Book example](https://hackmd.io/book-example) and the tutorial below for help on editing. Click the <span style="padding: 1px 1.5px 3px 3.5px; background: white; border-radius: 5px; margin: 0px 4px;"><i class="fa fa-pencil fa-fw"></i></span> button at the navigation bar to start editing. ::: :::warning **Disclaimer:** * This work is NOT endorsed NOR maintained by the XZ Utils upstream project. * This work may reference materials that may compromise your computer's security, use it at your own risk. * This work shall NOT be used as a basis for doxxing any person/entity/nation. Currently it is uncertain who is actually behind this operation, **any research on specific individuals are merely to investigate on the matter instead of accusations of they are conducting this attack.** * This work is initiated by [林博仁(Buo-ren Lin)](https://brlin.tw/), contact <buo.ren.lin+cve@gmail.com> for matters related to this work that require my attention. ::: :::danger Contributing content to this work **implies that you agree to waive your copyright and release your content to the Public Domain** under the full extent of the law. ::: * [Homepage🏠](https://hackmd.io/@cve-2024-3094/home) <!-- Tips: * Place the text insertion indicator to the right square bracket's left side, and you can directly create a new page with the title. * Some Web content are not able to displayed at the right side of the iframe due to safety restrictions of the referred website, you may append `[target=_blank]` to the links to set these content to be forced loaded in a new browser tab/window. --> ## Generic information❓ * [XZ Utils backdoor - Wikipedia](https://en.wikipedia.org/wiki/XZ_Utils_backdoor) * [oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise](https://www.openwall.com/lists/oss-security/2024/03/29/4) The mailing list thread that disclosed the vulnerability to the public. * [research!rsc: Timeline of the xz open source attack](https://research.swtch.com/xz-timeline) An event timeline of the incident made by Russ Cox. * [XZ Utils backdoor](https://tukaani.org/xz-backdoor/) Notice from the XZ Utils upstream project * [FAQ on the xz-utils backdoor](https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27) [target=_blank] An F.A.Q. post endorsed by the upstream project(as indicated by their IRC channel's topic string). * [XZ Outbreak (CVE-2024-3094)](https://twitter.com/fr0gger_/status/1774342248437813525) [target=_blank] Infographic that explains this vulnerability in simple terms by Thomas Roccia. * [CVE-2024-3094 | CVE Record | CVE](https://www.cve.org/CVERecord?id=CVE-2024-3094) [target=_blank] CVE vulnerability database entry. * [NVD - CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094) [target=_blank] NVD vulnerability database entry. ## Security advisories❗ * [CVE-2024-3094 | Ubuntu](https://ubuntu.com/security/CVE-2024-3094) [target=_blank] From the Ubuntu GNU/Linux distribution. * [[SECURITY] [DSA 5649-1] xz-utils security update](https://lists.debian.org/debian-security-announce/2024/msg00057.html) [target=_blank] From the Debian GNU/Linux distribution. + [CVE-2024-3094 | Debian Security Bug Tracker](https://security-tracker.debian.org/tracker/CVE-2024-3094) [target=_blank] Corresponding Debian security tracker entry. * [CVE-2024-3094 - Red Hat Customer Portal](https://access.redhat.com/security/cve/CVE-2024-3094) [target=_blank] From the Red Hat Enterprise Linux(RHEL) GNU/Linux distribution. * [Urgent security alert for Fedora 41 and Fedora Rawhide users](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users) [target=_blank] From the Fedora GNU/Linux distribution. * [CVE-2024-3094 Common Vulnerabilities and Exposures | SUSE](https://www.suse.com/security/cve/CVE-2024-3094.html) [target=_blank] From the SUSE Linux Enterprise/OpenSUSE GNU/Linux distribution. * [928134 – (CVE-2024-3094) >=app-arch/xz-utils-5.6.0: backdoor in release tarballs](https://bugs.gentoo.org/show_bug.cgi?id=CVE-2024-3094) [target=_blank] From the Gentoo GNU/Linux distribution. * [All about the xz-utils backdoor | Kali Linux Blog](https://www.kali.org/blog/about-the-xz-backdoor/) From the Kali Linux GNU/Linux distribution. * [[ASA-202403-1] xz: arbitrary code execution - Arch Linux](https://security.archlinux.org/ASA-202403-1) [target=_blank] From the Arch Linux GNU/Linux distribution. + [Arch Linux - News: The xz package has been backdoored](https://archlinux.org/news/the-xz-package-has-been-backdoored/) [target=_blank] Additional information. * [[DEV] Security Advisory for xz-utils Package : r/termux](https://www.reddit.com/r/termux/comments/1br1jdq/dev_security_advisory_for_xzutils_package/) From the Termux mobile application/software distribution, credits to askorbinovaya_kislota@Matrix for giving the pointers. * [Malicious code was discovered in the upstream tarballs of... · CVE-2024-3094 · GitHub Advisory Database](https://github.com/advisories/GHSA-rxwq-x6h5-x525) [target=_blank] From GitHub. * [Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 | CISA](https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094) [target=_blank] From the United States goverment. * [CVE-2024-3094 - Security Bulletins - Amazon Web Services (AWS)](https://aws.amazon.com/security/security-bulletins/AWS-2024-002/) [target=_blank] From Amazon Web Services (AWS). ## Prevention for future projects💉 * [Consider hardening check_c_source_compiles (#25846) · Issues · CMake / CMake · GitLab](https://gitlab.kitware.com/cmake/cmake/-/issues/25846) [target=_blank] Discussions on how to mitigate the risk of tampering attempts for the `check_c_source_compiles` CMake directive. * [Xz format inadequate for long-term archiving](https://www.nongnu.org/lzip/xz_inadequate.html) Mitigate the risk by avoiding to use the XZ archival/compression format in the first place, as there are (according to lzip author) many problems with-in the format. ## Vulnerability mitigation efforts💊 * [#1068024 - revert to version that does not contain changes by bad actor - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024) From the Debian GNU/Linux operating system distribution. * [xz-unscathed - Fork of xz from before the involvement of the attacker who backdoored it](https://git.joeyh.name/index.cgi/xz-unscathed/) A third-party XZ Utils fork that drops all the involvement of the potential evil actor(s) by Joey Hess. ## Reverse engineering efforts 🔍⛏ * [Everything I know about the XZ backdoor](https://boehs.org/node/everything-i-know-about-the-xz-backdoor) Authored by Evan Boehs * [q3k :blobcatcoffee:: "I have managed to to extract a list of encoded strings within the liblzma/xz backdoor payload…" - Warsaw Hackerspace Social Club](https://social.hackerspace.pl/@q3k/112184695043115759) [target=_blank] + [liblzma backdoor strings extracted from 5.6.1 (from a built-in trie)](https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01#file-hashes-txt-L115) [target=_blank] + [zeno: "@q3k I got too curious about what that weird string was so I did a test, seems to just "defuse" the backdoor as running sshd with it makes it exit much faster than without." - Piaille](https://piaille.fr/@zeno/112185928685603910) [target=_blank] * [Home · Midar/xz-backdoor-documentation Wiki](https://github.com/Midar/xz-backdoor-documentation/wiki) [target=_blank] Collaboration research wiki created by Jonathan Schleifer * [[WIP] XZ Backdoor Analysis and symbol mapping](https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504) Provide proper names for the faked function symbols of the injected binary. * [Filippo Valsorda: "I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission. The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system(). It's RCE, not auth bypass, and gated/unreplayable." — Bluesky](https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b) [target=_blank] Explains how the vulnerability is actually exploited over SSH. * [xz/liblzma: Bash-stage Obfuscation Explained - gynvael.coldwind//vx.log](https://gynvael.coldwind.pl/?lang=en&id=782) * [Cyberstorm.mu blog: xz without seatbelts ?](https://cyberstormdotmu.blogspot.com/2024/03/xz-without-seatbelts.html) Explains the Landlock sandboxing sabotage effort by Jia Tan. * [modify_ssh_rsa_pubkey.py](https://gist.github.com/keeganryan/a6c22e1045e67c17e88a606dfdf95ae4) * [X 上的 ruby nealon：「The setup behind the CVE-2024-3094 supply-chain attack is fascinating. I originally wanted to finish and share a tool to audit other OSS projects for anomalous contributor behavior, but I feel what I found trying to MVP it is way more interesting. 🧵 1/25 https://t.co/Mc7GTfAnca https://t.co/73fpPjrVYa」 / X](https://twitter.com/_ruby/status/1774073953440747664) [target=_blank] * [GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)](https://github.com/amlweems/xzbot) [target=_blank] Notes regarding how the vulnerability being exploited and a honeypot implementation to record the exact exploitation. ## Potential evil actor identity research efforts🔍🧟 * [clickhouse has pretty good github_events dataset on playground that folks can use to do some research - some info on the dataset... | Hacker News](https://news.ycombinator.com/item?id=39870048) [target=_blank] * [X 上的 1nternaut：「I found a x/twitter user associated with "jiat0218@gmail.com" by leveraging x/twitter's password reset function: https://t.co/rQnl92oOSV #XZUtils https://t.co/H6HhIYjkaL」 / X](https://twitter.com/1nternaut/status/1774160687473815613) [target=_blank] Reveals a X(Twitter) account that is bound with the committer's e-mail address. + [カドウ (@jiat75107) / X](https://twitter.com/jiat75107) [target=_blank] The X(Twitter) account that is bound with the committer's e-mail address. * [XZ Backdoor: Times, damned times, and scams](https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and) [target=_blank] Research on the (assumed to be) evil actor's work time by Rhea Karty and Simon Henniger. * [Social engineering aspect of the XZ incident | Securelist](https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/) Details the social engineering attacks occurred in this incident. ## Changes made by potential evil actor🩹🧟 * [git.tukaani.org - xz.git/commitdiff - Build: Fix Linux Landlock feature test in Autotools and CMake builds. by Jia Tan](https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7) This change sneaks a minor change(The "+." line of the CMakeLists.txt file) that intentionally breaks the Linux Landlock sandboxing support. ## Discussion channels💬 * [The Tukaani project’s IRC channel](https://tukaani.org/contact.html#_irc) The XZ Utils upstream project's IRC channel. * [XZ Backdoor Reversing](https://www.openwall.com/lists/oss-security/2024/03/30/26) A bridged-together Matrix/IRC/Discord chat rooms focusing on reverse engineering coordination by Jonathan Schleifer. <!-- ## Media Resource Kit🎨📷📹 Here are the collection some re-usable media materials, **please respect the rights of the material holders and only use them under the fair use principle** * [Picture Resources] * [Video Resources] --> ## Media coverage📺📰 * [A backdoor in xz [LWN.net]](https://lwn.net/Articles/967180/) [target=_blank] * [Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros | The Hacker News](https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html) * [Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094) - Help Net Security](https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/) * [XZ Utils庫驚爆後門，多個Linux版本受害！駭客可遠端取得系統控制權,Information Security 資安人科技網](https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=11015&mod=1) Taiwanese IT media report, only providing generic information of the incident. * [有人（疑似中共技术特工）向基础软件投毒植入后门，已有Linux中招，少数MacOS用户受影响 - 新·品葱](https://www.pincong.rocks/article/70394) [target=_blank] Chinese article explaining this incident, and suspecting it may be a China state-sponsored attack. * [使用SSHD連接到系統的用戶當心！因為駭客供應鏈攻擊鎖定XZ Utils庫植入隱密後門，多個Linux發行版受影響 | iThome](https://www.ithome.com.tw/news/162040) [target=_blank] Taiwanese IT media report, only providing generic information of the incident. * [[安全警告] xz 和 liblzma 5.6.0~5.6.1 版本上游被植入后门，影响所有 x64 架构 Linux 和 macOS - V2EX](https://web.archive.org/web/20240330083006/https://www.v2ex.com/t/1028288) [target=_blank] Chinese article explaining this incident, including logic reverse-engineered from the malicious injected payload. * [xz爆出10分的核弹级漏洞，开源社区的仓库都被炸没了 - 知乎](https://zhuanlan.zhihu.com/p/689992369) [target=_blank] Another Chinese explaining this incident, generic information. ## Usage help📖 * [HackMD Tutorial Book](https://hackmd.io/c/tutorials) Explains basic usage of HackMD. * [Book Mode example](https://hackmd.io/book-example) Explains how to make changes to a HackMD book mode note. * [Daring Fireball: Markdown Syntax Documentation](https://daringfireball.net/projects/markdown/syntax) Explains the original Markdown markup syntax. * [CommonMark Spec](https://spec.commonmark.org/current/) Explains the CommonMark Markdown markup syntax(which is used by HackMD). * [GitHub Flavored Markdown Spec](https://github.github.com/gfm/) Explains common extensions to the Markdown syntax. * [ikatyang/emoji-cheat-sheet: A markdown version emoji cheat sheet](https://github.com/ikatyang/emoji-cheat-sheet) [target=_blank] For small cliparts to show in the section names. * [Full Emoji List](https://unicode.org/emoji/charts/full-emoji-list.html) For small cliparts to show in the section names. ## Learning📚 * [How to extract the malware payload :hourglass:](/dW5eFP1LR_C3TL9T026UnQ) ## Powered By🔌 * [HackMD](https://hackmd.io/) The platform hosting this workspace. * [HackMD Disaster Information Integration Platform Template](https://bit.ly/disaster-information-integration-platform-template-hackmd) The template this workspace is based on. And you!