Over the past week, a new vulnerability in the Linux operating system and the XZ compression utility has led to a new security alert and an immediate call to roll back some new updates. While this threat is a massive problem for federal IT systems relying on specific Linux distributions, it also highlights how poorly managed open-source projects can fundamentally undermine federal security. It also demonstrates how state-sponsored actors can use these projects as a staging ground for more extensive Advanced Persistent Threats. 

XZ Utils and CVE-2024-3094

The latest vulnerability in XZ Utils, identified as CVE-2024-3094, is a critical security issue involving a backdoor in the widely used XZ compression library, which is found in multiple Linux distributions. This vulnerability explicitly affects versions 5.6.0 and 5.6.1 of XZ Utils. 

The malicious code modifies functions within the liblzma code, which could allow a malicious actor to intercept and modify data used with the library. This could potentially break SSH authentication to gain unauthorized system access. Notably, the backdoor seems tailored for DEB or RPM packages for the x86-64 architecture built with GCC and the GNU linker, indicating a sophisticated level of targeting and, potentially, the work of an Advanced Persistent Threat (APT).

The Cybersecurity and Infrastructure Security Agency has issued advisories urging users to downgrade to an uncompromised version of XZ Utils (such as XZ Utils 5.4.6) and check for suspicious activity on systems with affected versions installed.

Affected Linux distributions include 

• Fedora Rawhide
• Debian testing, unstable and experimental versions, and 
• Arch Linux’s specific release artifacts 

However, some distributions, such as Amazon Linux, Alpine Linux (except specific versions), Red Hat Enterprise Linux, and others, have stated they are not affected by this vulnerability. 

How Was XZ Utils Compromised?

CVE-2024-3094 infiltrated the code through sophisticated means that leveraged weaknesses in the project’s code review and branch protection mechanisms. A detailed analysis revealed that malicious code was embedded in the upstream packages of XZ, starting with version 5.6.0. 

The code was concealed within extra .m4 files that contained build instructions using automake, which did not exist in the repository’s main branch. This was then used to modify certain functions within the liblzma package during compilation. Consequently, the liblzma library, upon being utilized by other software such as sshd, executed the altered functions, potentially leading to unauthorized system access

The vulnerability’s introduction into the code underscores critical security oversights in the project’s governance. Specifically, no branch protections were in place, allowing developers to push changes to default branches without mandatory code reviews. 

This lack of oversight allowed unreviewed modifications, including malicious ones, to be pushed into production libraries and Linux distributions. This highlights the dangers of using code in production environments regularly updated from open-source projects that don’t correctly maintain security and maintenance standards and how these projects can be a soft target for APTs. 

Addressing and Mitigating CVEs

When a company encounters a CVE notice like CVE-2024-3094, it should take several fundamental steps to respond and mitigate the potential impact effectively. Here’s a structured approach to dealing with such vulnerabilities:

• Assessment and Identification: Begin by thoroughly understanding the CVE details, including which systems, software, or components are affected, the nature of the vulnerability, and how it can be exploited. Identify all systems, applications, and services that use the affected software. This step might involve scanning your environment to find where the vulnerable software versions are deployed.
• Assess Risk: Evaluate the severity of the vulnerability, which is often provided within the CVE notification (e.g., CVSS score), and determine its potential impact on your systems. Based on the severity of the vulnerability and the criticality of affected systems to your business operations, prioritize remediation efforts.
• Mitigation and Remediation: Follow the guidance provided by the software vendor or the community that supports the affected software to apply patches or updates that address the vulnerability. If patches are not immediately available, consider reducing risk by applying temporary mitigations or workarounds suggested in the CVE advisory.
• Communication: Inform relevant stakeholders and teams within your organization about the vulnerability, potential impacts, and planned response. Depending on your business’s vulnerability, you may need to communicate with customers or partners about the risk and your remediation efforts.
  
• Continuous Monitoring: Monitor new vulnerabilities and threats by subscribing to security advisories and threat intelligence feeds.

What Is XZ Utils?

XZ Utils is a collection of tools for the XZ compression format, providing high compression ratios and fast decompression with a relatively low memory footprint. It’s a free software command-line toolset on Linux and other operating systems. The main components of XZ Utils include:

• xz: The primary tool for compressing and decompressing files. It can produce and decompress files with the .xz extension, which is compressed using the LZMA/LZMA2 compression algorithm. The xz command is often used to compress data, such as software packages and archives, to reduce disk space usage and speed up file transfers.
• xzcmp and xzdiff: Tools to compare compressed files. They decompress files on the fly for comparison, making it unnecessary to decompress them before comparing them.
• xzgrep, xzegrep, xzfgrep: These commands allow you to search inside .xz compressed files without explicitly decompressing them first. They are equivalent to grep, egrep, and fgrep but work with .xz files.
• xzmore, xzless: These are filters for viewing compressed text files in a terminal. They allow you to view the content of .xz files page by page, similar to the more and less commands for uncompressed text files.
• Xzdec: A lightweight decompressor for .xz files designed for systems with limited memory. It’s simpler and smaller than the full xz utility and suitable for embedded systems.
• liblzma: It’s not a command but a library that provides LZMA compression and decompression functions. The xz utility and other tools in the XZ Utils package use this library.

XZ Utils is widely used to distribute software packages in many Linux distributions, but it is often unknown or untracked by system administrators. 

Stay Ahead of the Latest CVEs and Updates with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve, including keeping track of the latest threats and their impact on compliance. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171 & 172
• CMMC
• SOC 1 & SOC 2
• HIPAA
• PCI DSS 4.0
• IRS 1075 & 4812
• COSO SOX
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria
• And dozens more!

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.