Today, Microsoft released guidance and an announcement about the XZ Utils backdoor vulnerability (CVE-2024-3094). This security vulnerability is a critical flaw with a CVSS (Common Vulnerability Scoring System) score of 10.0, affecting multiple Linux distributions, namely Fedora, Kali Linux, OpenSUSE, and Alpine, potentially having a massive global impact.
Fortunately, Microsoft Linux developer Andres Freund accidentally discovered this vulnerability promptly. He was curious about why there was a 500-millisecond delay in SSH (Secure Shell) port connections, which led to the discovery of a malicious backdoor embedded in the XZ file compressor.
So far, at the time of writing this article, VirtusTotal has only listed 4 out of 63 security vendors, including Microsoft, that have correctly identified the severity of this vulnerability.
Therefore, in this incident, the eagle-eye capabilities of the Microsoft engineer are commendable, as many people might not bother to investigate it. This event also highlights how open-source software can be exploited by malicious actors.
Versions 5.6.0 and 5.6.1 of XZ Utils have been compromised with a backdoor, and the official recommendation from the Cybersecurity and Infrastructure Security Agency (CISA) is to use older secure versions.
According to the recommendation guide, to verify if the system has vulnerable software, users can run the following command in SSH with administrative privileges:
- xz –version
System administrators can also use third-party scanning and detection tools. Security research companies Qualys and Binarly have released detection and scanning tools to check if systems are affected.
Qualys released version VULNSIGS 2.6.15-6 and marked the vulnerability under Qualys Vulnerability Detection ID (QID) “379548”.
Meanwhile, Binarly also released a free XZ backdoor scanning tool, which will issue an “XZ malicious implant” detection alert if the XZ Utils are compromised.
More technical details related to this vulnerability can be found on the Binarly and Qualys websites.
Related:
- PCIe 7.0 Final Draft Is Out—SSDs Must Wait 3 Years
- Urgent Chrome Update Fixes CVE-2024-4671 Vulnerability
- Linux Remote Protocols: Choose Wrong, Face Disaster!
Disclaimer: This article is created by the original author. The content of the article represents their personal opinions. Our reposting is for sharing and discussion purposes only and does not imply our endorsement or agreement. If you have any objections, please contact us through the provided channels.