关联漏洞
Description
CVE-2024-3094
介绍
# 🧩 **CVE-2024-3094 — The XZ Utils Supply-Chain Backdoor**
<img width="1400" height="588" alt="1_Q4G6mGkDC41axci-UUha3A" src="https://github.com/user-attachments/assets/99fa4407-133c-4b83-a33a-8cca5950dd24" />
---
## 🔒 Overview
| **Attribute** | **Details** |
| ------------------------ | --------------------------------------------------------------- |
| **CVE ID** | CVE-2024-3094 |
| **Severity (CVSS v3.1)** | 🔴 10.0 (Critical) |
| **Component** | XZ Utils / liblzma (Data compression library) |
| **Affected Versions** | 5.6.0 and 5.6.1 |
| **Discovery Date** | March 29 2024 |
| **Discovered By** | Andres Freund (Microsoft / PostgreSQL developer) |
| **Vulnerability Type** | Supply-chain / Embedded Malicious Code (CWE-506) |
| **Attack Vector** | Modified build process injects a remote code execution backdoor |
| **Primary Risk** | Unauthorized remote access → Full system compromise |
---
## 🧠 How It Happened
### 🧩 **Insertion**
* The **malicious code** wasn’t visible in the public Git repo.
* It was **hidden in the release tarballs** for XZ Utils 5.6.0 & 5.6.1.
* A disguised “test file” contained a **pre-built object** that injected malicious logic into **liblzma** during the build.
### ⚙️ **Execution**
* The injected code **hooks into liblzma functions** (via IFUNCs).
* When linked dynamically (e.g. by `sshd` via `libsystemd`), it can **intercept authentication routines**.
* This enables a remote attacker with a special key to **bypass SSH authentication** or execute arbitrary code.
### 🕶️ **Stealth**
* The backdoor activates **only under specific conditions**:
* Architecture: x86-64 Linux
* glibc + GNU linker builds
* Builds using the malicious tarballs
* This selective targeting kept it **invisible to normal QA**.
---
## ⚠️ Impact & Exposure
### 💻 **Affected Distributions**
| **Likely Impacted** | **Unaffected / Safe** |
| ------------------------------- | ------------------------------- |
| Fedora Rawhide / 41 | RHEL (Enterprise) |
| openSUSE Tumbleweed | Debian Stable |
| Debian Unstable/Testing | Ubuntu LTS |
| Arch Linux (Snapshots Mar 2024) | Alpine Linux (Musl – not glibc) |
### 🌍 **Scope**
* The compromised versions reached **limited but critical targets** — systems that automatically pulled the tarballs into nightly or testing builds.
* Potential compromise chain:
`XZ Utils → liblzma → systemd / SSHD → Root Access`
---
## 🧾 **Detection Checklist**
### 🧮 **Step 1 – Check Installed Version**
```bash
xz --version
rpm -q xz
dpkg -l | grep xz
```
> ⚠️ If the output shows `5.6.0` or `5.6.1`, treat the system as **potentially compromised**.
### 🧠 **Step 2 – Verify Library**
```bash
strings /usr/lib*/liblzma.so* | grep "test"
sha256sum /usr/lib*/liblzma.so*
```
> Look for unfamiliar sections or hashes not matching official checksums.
### 🔍 **Step 3 – Check SSH Behaviour**
* Unexpected CPU spikes in `sshd`
* Delays during login
* Silent auth bypass or altered logs
### 🧰 **Step 4 – Scan Filesystem**
```bash
find / -name "liblzma.so.5.6*" 2>/dev/null
```
---
## 🛠️ **Mitigation Steps**
### 🔄 **Immediate Actions**
1. **Downgrade / Revert**
→ Replace with a safe version:
```bash
sudo dnf downgrade xz
sudo apt install xz-utils=5.4.*
```
2. **Rebuild & Re-link** all software using liblzma.
3. **Isolate / Reimage** affected systems — assume credential compromise.
4. **Investigate Logs** for suspicious SSH sessions or root escalations.
### 🧱 **Long-Term Hardening**
* Verify build provenance (use Git commits, not tarballs).
* Adopt **reproducible builds** and checksum validation.
* Integrate **SBOMs** (Software Bill of Materials) in your CI/CD.
* Monitor with **behavioral IDS** for SSH and systemd anomalies.
---
## 🕰️ Timeline
| **Date** | **Event** |
| -------------- | ---------------------------------------------------- |
| 2021 – 2023 | Fake contributor “Jia Tan” gains trust in XZ project |
| Feb 2024 | Malicious code released in 5.6.0 / 5.6.1 tarballs |
| Mar 29 2024 | Discovered by Andres Freund due to SSHD anomalies |
| Mar 30 2024 | CVE-2024-3094 publicly disclosed |
| Apr 2024 → Now | Global advisories and mitigation rollouts |
---
## 🔍 Attribution & Lessons
### 🕵️ **Suspected Origin**
* Alias **“Jia Tan”** — contributor involved for 2+ years
* Gradually gained trust, released tarballs, introduced backdoor
* Classic **long-term infiltration** of open-source trust chains
### 💡 **Lessons Learned**
* Trust ≠ Security
* Reproducible builds & signature verification are non-negotiable
* Open-source maintainers need **shared responsibility models**
* Supply-chain compromises are now **nation-state-level** vectors
---
## 🎯 **Key Takeaways**
> 🧨 **CVE-2024-3094 is not a bug — it’s a betrayal of trust.**
* 🚨 If you have XZ Utils 5.6.0 / 5.6.1, **treat the system as compromised**.
* 🔁 **Revert to 5.4.x** or later verified clean builds.
* 🔎 Audit SSHD and system logs thoroughly.
* 🧰 Invest in **supply-chain security tools** and **code provenance checks**.
* 📢 Communicate internally — transparency is critical for incident response.
---
文件快照
[4.0K] /data/pocs/de6cd7ba6101ed7d6431668df5315a5dc0f6bacb
└── [6.0K] README.md
1 directory, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。