Update: Wednesday, April 3, 2024
Because of the security implications involved, we decided to make the mitigation and remediation Worklet code freely available, regardless of whether you’re an Automox customer or not (yet).
If you are an Automox customer, easily deploy the Worklet automation script to mitigate the xz/liblzma vulnerability today.
Evaluation Script
#!/bin/bash
#================================================================
# HEADER
#================================================================
# SYNOPSIS
# This Worklet will check your Linux system for the xz package and determine if it is vulnerable to CVE-2024-3094.
# If the package is vulnerable, the Worklet will attempt to downgrade the package to a non-vulnerable version using
# the appropriate package manager.
#
# DESCRIPTION
# CVE-2024-3094 was identified on March 28, 2024. It was determined that malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
# It was determined that only certain operating systems and operating system versions were affected by this vulnerability. Most versions of RedHat, CentOS, and Ubuntu are not affected.
# Some testing and Beta versions of Debian, Fedora, Alpine, openSUS, and Arch Linux were found to be affected. Regardless, this Worklet will work on all linux systems to ensure that the xz package is not vulnerable.
#
#
#
# USAGE
# ./evaluation.sh
#
#
#================================================================
# IMPLEMENTATION
# version 1.0
# author Jeremy Maldonado
#
#================================================================
# HISTORY
# 04/01/2024 : JMaldonado : Worklet Created
#
#================================================================
# END_OF_HEADER
#================================================================
get_package_manager my_package_manager
xz_path=$(which xz)
if [[ -z "$my_package_manager" ]]; then
echo "Package Manager could not be identified. Worklet cannot complete. Please run a device scan and run this worklet again." >&2
exit 1
else
echo "Package Manager identified as $my_package_manager."
fi
function get_xz_version () {
xz_version=$("$xz_path" --version | head -n 1 | cut -d ' ' -f 4)
}
function check_xz_for_CVE-2024-3094 () {
if [[ "$xz_version" == "5.6" || "$xz_version" == "5.6.1" ]]; then
echo "Your package for xz or xz-utils is vulnerable to CVE-2024-3094. Remeidation will be scheduled." >&2
exit 1
else
echo "Your package for xz or xz-utils is not vulnerable. No changes are required. Worklet exiting..."
exit 0
fi
}
if which xz 1> /dev/null; then
get_xz_version
check_xz_for_CVE-2024-3094
else
echo "xz is not installed. No change are required. Worklet exiting..."
exit 0
fiRemediation Script
#!/bin/bash
#================================================================
# HEADER
#================================================================
# SYNOPSIS
# This Worklet will check your Linux system for the xz package and determine if it is vulnerable to CVE-2024-3094.
# If the package is vulnerable, the Worklet will attempt to downgrade the package to a non-vulnerable version using
# the appropriate package manager.
#
# DESCRIPTION
# CVE-2024-3094 was identified on March 28, 2024. It was determined that malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
# It was determined that only certain operating systems and operating system versions were affected by this vulnerability. Most versions of RedHat, CentOS, and Ubuntu are not affected.
# Some testing and Beta versions of Debian, Fedora, Alpine, openSUS, and Arch Linux were found to be affected. Regardless, this Worklet will work on all linux systems to ensure that the xz package is not vulnerable.
#
#
#
# USAGE
# ./remediation.sh
#
#
#================================================================
# IMPLEMENTATION
# version 1.0
# author Jeremy Maldonado
#
#================================================================
# HISTORY
# 04/01/2024 : JMaldonado : Worklet Created
#
#================================================================
# END_OF_HEADER
#================================================================
flag_for_remediation=0
get_package_manager my_package_manager
xz_path=$(which xz)
xz_package_name=$(rpm -qf "$xz_path" || dpkg -S "$xz_path" | awk -F':' '{print $1}' || zypper se -f "$xz_path" | grep xz-utils | awk '{print $3}')
if [[ -z "$my_package_manager" ]]; then
echo "Package Manager could not be identified. Worklet cannot complete. Please run a device scan and run this Worklet again." >&2
exit 1
else
echo "Package Manager identified as $my_package_manager."
fi
function get_xz_version () {
xz_version=$("$xz_path" --version | head -n 1 | cut -d ' ' -f 4)
}
function check_xz_for_CVE-2024-3094 () {
if [[ "$xz_version" == "5.6" || "$xz_version" == "5.6.1" ]]; then
echo "Your package for xz or xz-utils is vulnerable to CVE-2024-3094. Worklet will now attempt to downgrade this package."
flag_for_remediation=1
else
echo "Your package for xz or xz-utils is not vulnerable. No changes are required. Worklet exiting..."
exit 0
fi
}
function downgrade_xz_utils () {
if [[ $my_package_manager == "dnf" ]]; then
dnf downgrade -y "$xz_package_name"
elif [[ $my_package_manager == "yum" ]]; then
yum downgrade -y "$xz_package_name"
elif [[ $my_package_manager == "apt" ]]; then
alternative_xz_version=$(apt-cache policy xz-utils | grep -A1 'Version table' | awk 'NR==2 {print $2}')
apt-get install -y "$xz_package_name=$alternative_xz_version"
elif [[ $my_package_manager == "zypper" ]]; then
zypper install --force xz=5.6.1.revertto5.4
else
echo "Package manager not supported."
fi
}
if which xz 1> /dev/null; then
get_xz_version
check_xz_for_CVE-2024-3094
else
echo "xz is not installed. No change are required. Worklet exiting..."
exit 0
fi
if [[ $flag_for_remediation == 1 ]]; then
if downgrade_xz_utils; then
echo "The xz package was downgraded - Checking new install version."
get_xz_version
if [[ "$xz_version" == "5.6" || "$xz_version" == "5.6.1" ]]; then
echo "Your package for xz or xz-utils is still vulnerable to CVE-2024-3094. Please run this Worklet again, or manually downgrade the package." >&2
exit 1
else
echo "The xz package downgrade was successful. Your package for xz or xz-utils is no longer vulnerable to CVE-2024-3094. Worklet exiting..."
exit 0
fi
else
echo "The xz package downgrade failed. Please check the Automox Activity Report for more information." >&2
exit 1
fi
fiUpdate: Monday, April 1, 2024
An Automox Worklet™ automation script is now available to check your Linux endpoints for the exploited xz/liblzma package and mitigate if the system is determined vulnerable to CVE-2024-3094.
A significant potential exploit, CVE-2024-3094 with a CVSS score of 10.0, has been uncovered in the upstream xz/liblzma package, raising serious concerns about the security of SSH servers. Read on for remediation tips and the latest information.
CVE-2024-3094: What It Is
The vulnerability revolves around a malicious backdoor inserted into the distributed tarballs of the xz package. This code activates during the configure process, manipulating the Makefile of liblzma and introducing a script capable of potentially compromising SSH servers.
The attackers' GitHub account was deeply embedded in this project and many other open-source projects. It is yet unknown if the account was compromised.
Who Is Affected
Systems utilizing the compromised liblzma are at risk of exploitation by this vulnerability. Particularly, x86-64 Linux systems running glibc are susceptible. While xz versions 5.6.0 and 5.6.1 have not yet been extensively integrated into Linux distributions, at this time it is not known when the breach started.
The backdoor requires systemd, so at this time, it seems that only Linux operating systems (with systemd) are affected.
At this time, it is recommended to rotate your SSH keys immediately if you are running xz versions 5.6.0 and 5.6.1 if any of these packages are installed on your system.
The following distributions have acknowledged they are affected:
installation medium 2024.03.01
virtual machine images 20240301.218094 and 20240315.221711
container images created between and including 2024-02-24 and 2024-03-28
The following distributions have released statements saying they are not affected.
Ubuntu has not released a statement at the time of writing.
How to Fix It: Mitigating CVE-2024-3094
At this time, it is strongly recommended to downgrade to a non-affected liblzma version, most notably versions predating 5.6.0 and 5.6.1.
Updating to a secure iteration of the xz package is pivotal in safeguarding systems against potential breaches.
A publicly available bash script has been made available on seclists.org by Andres Freund. Andres Freund is also credited with discovering this vulnerability.
If you’re having difficulty finding the version of liblzma you’re currently running, a YARA rule can be found here.
Stay Vigilant, Stay Secure
The presence of a backdoor within the upstream xz/liblzma package represents a grave threat to the security integrity of SSH servers.
Timely action is imperative for impacted systems to avert potential risks. By promptly upgrading to an uncorrupted version of the xz package, organizations can fortify their defenses and mitigate the inherent dangers posed by this vulnerability.
For more information, see:
Start your free trial now.
Get started with Automox in no time.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
