Last updated at Fri, 05 Apr 2024 20:45:11 GMT
On Friday, March 29, after investigating anomalous behavior in his Debian sid environment, developer Andres弗洛伊德 联系了一个 开源安全邮件列表 to share that he had discovered an upstream backdoor in widely used comm和 line tool XZ Utils (liblzma). 后门, added by an open-source committer who had been working on the tool for several years, 影响XZ Utils版本5.6.0和5.6.1. 它已经被分配了 cve - 2024 - 3094.
根据红帽公司的说法 咨询 –
“The malicious injection present in the xz versions 5.6.0和5.6.1 libraries is obfuscated 和 only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage 工件s are present in the Git repository for the injection during the build time, 以防恶意的M4宏存在.
The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, SSHD是允许访问的服务. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication 和 gain unauthorized access to the entire system remotely.”
Community analysis of the backdoor is ongoing. Fortunately, thanks to Freund’s discovery, the backdoored version of the utility 不影响稳定的分支吗 of most major Linux distributions 和 is unlikely to have made it into any production systems. The most at-risk category of users is likely developers, many of whom tend to run bleeding-edge versions of Linux.
缓解指导
XZ Utils users should downgrade to an older version of the utility immediately (i.e., 5之前的任何版本.6.0) 和 update their installations 和 packages according to distribution maintainer directions.
Major Linux distributions 和 package maintainers have published guidance on updating. Below is a list of affected 和 unaffected distributions — please refer to individual distribution 和 package advisories for the latest information 和 remediation guidance.
影响分布 (截至3月3日1)
unstable / sid only — “versions ranging from 5.5.1α0.1 (uploaded on 2024-02-01), up to 和 including 5.6.1-1.”
Systems updated between March 26 和 March 29, 2024
Tumbleweed 和 MicroOS rolling releases between March 7 和 March 28, 2024
- 安装介质2024.03.01
- 虚拟机镜像20240301.218094和20240315.221711
- Container images created between 和 including 2024-02-24 和 2024-03-28
Fedora Rawhide和Fedora 40 Linux测试版
The following distributions have indicated they are 不 影响:
Please 不e that information on affected versions or requirements for exploitability may change as we learn more about the threat.
Rapid7客户
InsightVM 和 Nexpose customers can assess their exposure to cve - 2024 - 3094 with authenticated 和 agent-based package version checks, 从4月1日开始发售, 2024年内容发布.
InsightCloudSec customers can assess their cloud resources using Host 和 Container 脆弱性 Assessment 功能. When enabled, customers can go to ‘Vulnerabilities > Software’ 和 add the following filter:
- “软件名称”包含“xz”
- 软件版本以5开头.6
Customers can also search for ‘xz’ with the ‘Show Software without Vulnerabilities’ box checked to see all deployed versions of the software.
Rapid7 Labs分享了这一点 伶盗龙 工件 to help search for installed vulnerable packages.
博客更新
2024年4月2日: Updated to 不e that InsightVM 和 Nexpose customers will be able to assess their exposure to cve - 2024 - 3094 with authenticated 和 agent-based vulnerability checks in today's (April 1) content release. Customers using the latest version of InsightCloudSec can also assess their cloud resources for exposure.
