【知道创宇404实验室】警惕Linux生态xz-utils软件包被攻击并植入后门（CVE-2024-3094）

404实验室 知道创宇404实验室 2024-03-30 13:43

2024年3月29日，有国外安全人员宣称在xz-utils软件包5.6.0到5.6.1版本中，存在被供应链攻击并植入后门风险（https://www.openwall.com/lists/oss-security/2024/03/29/4）。
该后门可能会允许恶意行为者破坏sshd身份验证，从而允许对整个系统进行远程未经授权的访问。由于库的使用如此广泛，因此该漏洞的严重性对整个Linux生态系统构成了威胁。

目前各个相关操作系统发布了相关安全公告，目前确定可能受影响的操作系统有：Fedora Rawhide、Fedora 41、Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1. 、openSUSE Tumbleweed and openSUSE MicroOS、Kali Linux、Arch Linux、Alpine等等。

Fedora Rawhide

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Fedora 41

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.

https://lists.debian.org/debian-security-announce/2024/msg00057.html

openSUSE Tumbleweed and openSUSE MicroOS

https://news.opensuse.org/2024/03/29/xz-backdoor/ 3月7日至3月28日期间，Tumbelweed 和 MicroOS 中包含了xz的后门版本

Kali Linux

https://www.kali.org/blog/about-the-xz-backdoor/ 该后门影响Kali的时间为3月26日至3月29日，期间xz-utils 5.6.0-0.2可用

Arch Linux

https://archlinux.org/news/the-xz-package-has-been-backdoored/

Alpine edge

https://pkgs.alpinelinux.org/package/edge/main/x86/xz

我们再次建议相关操作系统用户注意检查系统安全，避免安全风险。
可以使用”xz -V或”xz –version”来检查已安装xz-utils的版本。

也可以使用如下脚本进行自查：

!/bin/bash# script to detect CVE-2024-3094# original script:# https://www.openwall.com/lists/oss-security/2024/03/29/4# modified (fixed and features added) by cyclone# https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh# tested on debian# https://nvd.nist.gov/vuln/detail/CVE-2024-3094# https://github.com/advisories/GHSA-rxwq-x6h5-x525# v1.0.0; 2024-03-29set -euclearecho “Checking system for CVE-2024-3094 Vulnerability…”echo “https://nvd.nist.gov/vuln/detail/CVE-2024-3094″# find path to liblzma used by sshd# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4sshd_path=$(whereis -b sshd | awk ‘{print $2}’)path=$(ldd “$sshd_path” 2>/dev/null | grep liblzma | awk ‘{print $3}’ | head -n 1)if [ -z “$path” ]; then echo echo “Probably not vulnerable (liblzma not found)” exitfi# check for function signature# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4echoecho “Checking for function signature in liblzma…”if hexdump -ve ‘1/1 “%.2x”‘ “$path” | grep -q ‘f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410’; then echo “Function signature in liblzma: VULNERABLE”else echo “Function signature in liblzma: OK”fi# check xz versionxz_version=$(xz –version | head -n1 | awk ‘{print $4}’)pwn_version=”5.6.0″echoecho “Checking xz version…”if [[ “$(printf ‘%s\n’ “$xz_version” “$pwn_version” | sort -V | head -n1)” == “$pwn_version” ]]; then echo “xz version $xz_version: VULNERABLE”else echo “xz version $xz_version: OK”fi