2024年3月29日,有国外安全人员宣称在xz-utils软件包5.6.0到5.6.1版本中,存在被供应链攻击并植入后门风险(https://www.openwall.com/lists/oss-security/2024/03/29/4)。该后门可能会允许恶意行为者破坏sshd身份验证,从而允许对整个系统进行远程未经授权的访问。由于库的使用如此广泛,因此该漏洞的严重性对整个Linux生态系统构成了威胁。
目前各个相关操作系统发布了相关安全公告,目前确定可能受影响的操作系统有:Fedora Rawhide、Fedora 41、Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1. 、openSUSE Tumbleweed and openSUSE MicroOS、Kali Linux、Arch Linux、Alpine等等。
Fedora Rawhide
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Fedora 41
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.
https://lists.debian.org/debian-security-announce/2024/msg00057.html
openSUSE Tumbleweed and openSUSE MicroOS
https://news.opensuse.org/2024/03/29/xz-backdoor/ 3月7日至3月28日期间,Tumbelweed 和 MicroOS 中包含了xz的后门版本
Kali Linux
https://www.kali.org/blog/about-the-xz-backdoor/ 该后门影响Kali的时间为3月26日至3月29日,期间xz-utils 5.6.0-0.2可用
Arch Linux
https://archlinux.org/news/the-xz-package-has-been-backdoored/
Alpine edge
https://pkgs.alpinelinux.org/package/edge/main/x86/xz
我们再次建议相关操作系统用户注意检查系统安全,避免安全风险。可以使用"xz -V或"xz –version"来检查已安装xz-utils的版本。
也可以使用如下脚本进行自查:
#!/bin/bash
# script to detect CVE-2024-3094
# original script:
# https://www.openwall.com/lists/oss-security/2024/03/29/4
# modified (fixed and features added) by cyclone
# https://github.com/cyclone-github/scripts/blob/main/xz\_cve-2024-3094-detect.sh
# tested on debian
# https://nvd.nist.gov/vuln/detail/CVE-2024-3094
# https://github.com/advisories/GHSA-rxwq-x6h5-x525
# v1.0.0; 2024-03-29
set -eu
clear
echo "Checking system for CVE-2024-3094 Vulnerability..."
echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"
# find path to liblzma used by sshd
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
sshd_path=$(whereis -b sshd | awk '{print $2}')
path=$(ldd "$sshd_path" 2>/dev/null | grep liblzma | awk '{print $3}' | head -n 1)
if [ -z "$path" ]; then
echo
echo "Probably not vulnerable (liblzma not found)"
exit
fi
# check for function signature
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
echo
echo "Checking for function signature in liblzma..."
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then
echo "Function signature in liblzma: VULNERABLE"
else
echo "Function signature in liblzma: OK"
fi
# check xz version
xz_version=$(xz --version | head -n1 | awk '{print $4}')
pwn_version="5.6.0"
echo
echo "Checking xz version..."
if [[ "$(printf '%s\n' "$xz_version" "$pwn_version" | sort -V | head -n1)" == "$pwn_version" ]]; then
echo "xz version $xz_version: VULNERABLE"
else
echo "xz version $xz_version: OK"
fi