Skip to content

This repository contains a Bash script and a one-liner command to verify if a system is running a vulnerable version of the "xz" utility, as specified by CVE-2024-3094.

License

Notifications You must be signed in to change notification settings

Hacker-Hermanos/CVE-2024-3094_xz_check

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 

Repository files navigation

CVE-2024-3094 xz Check Script

This repository contains a Bash script and a one-liner command to verify if a system is running a vulnerable version of the "xz" utility, as specified by CVE-2024-3094.

See the description and impact statement below from information available via RedHat https://access.redhat.com/security/cve/CVE-2024-3094:

"Malicious code was identified in the upstream tarballs of "xz" starting from version 5.6.0. This code involves a complex method where the build process of liblzma extracts a prebuilt object file from a disguised test file within the source code. This file is then utilized to alter specific functions within the liblzma code, leading to a compromised liblzma library. Any software linked against this modified library may intercept and alter data interactions with the library, potentially exposing systems to security risks.

The investigation to date reveals that the impacted packages are confined to Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. No Red Hat Enterprise Linux (RHEL) versions are affected by this issue.

The vulnerability stems from malicious injection found in xz versions 5.6.0 and 5.6.1, specifically within the tarball download package. The Git distribution does not include the M4 macro responsible for triggering the build of the malicious code. However, the Git repository does contain second-stage artifacts intended for injection during build time if the malicious M4 macro is present. Absent integration into the build, these 2nd-stage files are harmless. Demonstrations of the vulnerability revealed interference with the OpenSSH daemon, which, while not directly linked to the liblzma library, interacts with systemd in a manner that makes it susceptible to the malware, given systemd's linkage to liblzma."

"The xz-utils package, starting from versions 5.6.0 to 5.6.1, was found to contain a backdoor (CVE-2024-3094). This backdoor could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized access to the entire system remotely.

With a library this widely used, the severity of this vulnerability poses a threat to the entire Linux ecosystem. Luckily, this issue was caught quickly so the impact was significantly less than it could have been. It has already been patched in Debian, and therefore, Kali Linux.

The impact of this vulnerability affected Kali between March 26th to March 29th, during which time xz-utils 5.6.0-0.2 was available. If you updated your Kali installation on or after March 26th, but before March 29th, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability."

Verification Script

The following Bash script and one-liner command can be used to check if your system is affected by CVE-2024-3094:

command -v xz &>/dev/null && xz_version=$(xz --version | head -n 1 | awk '{print $4}') && { [[ $xz_version == "5.6.0" || $xz_version == "5.6.1" ]] && echo -e "\n[*] This system seems to be VULNERABLE to CVE-2024-3094 since it has a vulnerable version of xz\n\nLearn more about this CVE on this link:\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3094" || echo -e " \n[*] This system DOES NOT SEEM to be vulnerable to CVE-2024-3094."; } || echo "[-] xz package is not installed."

How to check manually for an affected Kali Linux version?

"apt-cache policy liblzma5"

kali@kali:~$ apt-cache policy liblzma5  
liblzma5:  
 Installed: 5.4.5-0.3  
 Candidate: 5.6.1+really5.4.5-1  
 Version table:  
    5.6.1+really5.4.5-1 500  
       500 http://kali.download/kali kali-rolling/main amd64 Packages  
*** 5.4.5-0.3 100  
       100 /var/lib/dpkg/status

If we see the version "5.6.0-0.2" next to Installed: then we must upgrade to the latest version, "5.6.1+really5.4.5-1". We can do this with the following commands:

Command for addressing the issue with the vulnerable package in Kali Linux:

"sudo apt update && sudo apt install -y --only-upgrade liblzma5"

About

This repository contains a Bash script and a one-liner command to verify if a system is running a vulnerable version of the "xz" utility, as specified by CVE-2024-3094.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages