BLUF

On March 29th, a malicious backdoor was identified in a new version of the ubiquitous xz-utilsLinux package. Dubbed CVE-2024-3094, this vulnerability is likely state-sponsored and received a risk rating of 10 (out of 10). Exploitation requires a vulnerable host to be running an SSH server exposed to the Internet. The vulnerability can no longer propagate widely as the package’s GitHub page has been suspended, and affected packages have been reverted to the last known safe version (5.4.6) in many distributions and package managers.

Analysis

Because it was identified so rapidly, this vulnerability only impacted a small subset of the Linux population, but had its discovery been delayed a couple of months, it may have infected the majority of the world’s Linux devices deployed this year.

This vunlerability was discovered when a hawk-eyed software engineer (Andres Freund) noticed abnormalities with the SSH daemon on his host.

How likely was it for Andres, or anyone, to notice abnormalities in the resource consumption of a process on their local system? My gut tells me this is unlikely. Experienced and power users of systems watch resources closely (yours truly is often guilty of spending more time in top or activity monitor than is necessary during daily computer use), but I expect only those actively working on troubleshooting or programming around the impacted service would notice something amiss, and I have no idea how many people might be doing such work.

We dodged a bullet here. How many other FOSS software packages might be affected by vulnerabilities from this, or other threat actors?

In this case, many eyes did in fact make for shallow bugs, but the bugs had been introduced slowly over the past two years and nobody noticed until four days ago.

If you operate a vulnerability management program, ensure that you’re checking your vendor’s feeds to ensure they’ve got checks in place for this one and review realtime scans. It’s worth kicking off an ad-hoc scan just for this CVE and verify any affected hosts aren’t Internt accessible.

Reference