Black Arrow Cyber Alert 03 April 2024 – Backdoor in Linux Poses Significant Supply Chain Risk

Executive summary

Over the last few days, a supply chain compromise impacting a wide variety of Linux distributions was identified. Malicious code in the form of a backdoor in XZ Utils was identified by Andres Freud, an employee at Microsoft. XZ Utils is data compression software which is present in a significant number of Linux distributions. The malicious code may allow unauthorised access to affected systems. Research has indicated that the backdoor was inserted two years ago and its potential impact has been compared to that of the SolarWinds backdoor in 2020. Of particular note, the vulnerability was identified through the curiosity of a Microsoft engineer, once again highlighting that attacks are a matter of when, not if.

What’s the risk to me or my business?

There is a significant risk that a large number of Linux distributions, and some Mac users are impacted by the vulnerability, which can allow an attacker to perform remote arbitrary code execution and with the exploit now going public, there is a chance that threat actors may try exploit this before it is patched. The Linux operating system is often present across corporate networks and can also be found on devices such as routers, switches, printers and others.

What can I do?

According to The US Cyber and Infrastructure Security Agency (CISA) and IBM-owned Red Hat, the impacted versions are the two most recent versions, 5.6.0 and 5.6.1 of the XZ Utils libraries. CISA has recommended that until a fix is produced, users downgrade XZ Utils to an uncompromised version, such as 5.4.6. As such, organisations are recommended to check if they are running vulnerable versions and apple mitigations with immediate effect. A list of the vulnerable distributions and versions availably from Microsoft, linked a the bottom of this alert; however, it should be highlighted that this situation is still ongoing and there may be more may be identified.

Technical Summary

CVE-2024-3094– Malicious code identified in XZ Utils, starting with versions 5.6.0. the code allows any software linked to a modified Liblzma library, a crucial dependency for OpenSSH, to intercept and modify data interaction with the library. The CVSS score is 10.

Further information can be found below.

https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/microsoft-faq-and-guidance-for-xz-utils-backdoor/ba-p/4101961

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

https://www.zscaler.com/blogs/security-research/cve-advisory-cve-2024-3094-security-compromise-xz-utils

Further information

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Previous
Previous

Black Arrow Cyber Threat Briefing 05 April 2024

Next
Next

The 31 of March is World Backup Day, Yes, there is a ‘day’ for everything now. Take a few minutes on this one, though