THREAT ALERT: The XZ Backdoor – Supply Chaining Into Your SSH

Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including critical vulnerabilities. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.

WHAT’S HAPPENING?

A sophisticated backdoor has been discovered in the open source compression library XZ Utils versions 5.6.0 and 5.6.1 for Linux Operating Systems. 

XZ is a widely used compression format in Linux, found in most distributions, both open-source and commercial. It compresses large files into smaller sizes, making them easier to share and transfer.

This supply chain attack targets to compromise the integrity of Secure Shell (SSH) – a cryptographic network protocol used to operate systems using remote command execution over an unsecured network. 

This vulnerability is being tracked as CVE-2024-3094, and has been assigned CVSS score of 10 out of 10. The backdoor is suspected to have the capability to completely compromise the integrity of the encrypted communications channel of SSH and take over the machine that has a vulnerable XZ Utils library installed.

Impact

Currently impacted systems are Linux distributions with the majority of the vulnerable libraries being on the development/experimental branches of the distribution release channels. 

Vulnerable Operating Systems and Remediations

The following is a list of Linux Operating Systems susceptible to this vulnerability, as available in the following link:

Vulnerable XZ Utils Versions

• xz-5.6.0
• xz 5.6.0-1
• xz 5.6.1-r0
• xz-5.6.1
• xz 5.6.1-r1
• xz-utils 5.6.0-0.2

Recommendations

• Mitigation: CISA recommends users and developers downgrade XZ Utils to an uncompromised version such as XZ Utils 5.4.6.
• Detection: Ensure the Linux systems that are managed by your organization are monitored through an EDR system such as Cybereason EDR to proactively secure them.
• Detection: Use our IOC list to identify vulnerable backdoored versions and our Hunting Queries that are available to all Cybereason Customers.

Cybereason Global Security Operations Center (GSOC) Team is conducting proactive threat hunting in the scope of the Cybereason Managed Detection and Response (MDR) service to identify any potential exploitation of these vulnerabilities to be able to detect any compromise before.

SUPPLY CHAIN ATTACKS AND OPEN SOURCE SOFTWARE

Supply chain attacks aim to compromise an organization by targeting a 3rd party trusted software component used in the organization’s IT infrastructure. Cybereason has written about Supply chain attacks on multiple occasions with one of the most notable examples being the Solarwinds supply chain compromise.

Free and Open Source Software (FOSS) is often thought of as being more secure than closed source software, due to the source code being made available for public scrutiny. FOSS projects rely on a team of dedicated developers that is often overstretched and overworked to maintain the software that often integrates with the OS of critical systems. Although FOSS source code is publicly available a lot of projects rarely receive code reviews that check the security of their codebase.   

What is XZ Utils?

XZ Utils is a set of free software command-line lossless data compressors, and almost ubiquitous in Linux.  XZ Utils plays a vital role in compressing and decompressing data for various operations. Additionally, it supports the legacy lzma format, allowing for compatibility with older systems. To put it plainly, XZ Utils is a vital part of Unix systems and is widely used. The XZ utils project is hosted in the public code repository Github. The XZ-utils distribution is used as a core system module  in many OS distributions, providing native support for the Linux operating system to handle xz and lzma compressed file formats.

BackDoor Overview

On Friday the 29th of March 2024, a backdoor was identified in XZ Utils library and publicly disclosed by Andres Freund (Principal Security Engineer at Microsoft and PostgreSQL developer and maintainer). This vulnerability allows an attacker to utilize a predefined encrypted private key to run commands on the victim machine as root. This vulnerability was introduced by a sophisticated supply chain attack which occurred over the course of approximately two years. During these two years the team that maintained the XZ Utils repository had been joined by user “JiaT75“, who established themselves as a reputable contributor to the open source project, but ultimately introduced this backdoor that was pushed to end users in XZ Utils versions 5.6.0 and 5.6.1, while reducing the security checks in projects such as OSS-Fuzz with the objective of hiding the backdoor.

This backdoor was introduced  to the open source project through two “test files”, which contain the payload; and a modified m4 script (m4/build-to-host.m4) which initiates the process of loading the payload. The test files were added to the open source project first and could be found in the git repository. The m4 modification, however, was only made in the github tarball, and is not checked into git. The  build process of the vulnerability can be summarized is as follows:

1.  A malicious script build-to-host.m4 is run during the library’s build process on the victim host, and decodes the “test” file bad-3-corrupt_lzma2.xz into a bash script, located at “tests/files/bad-3-corrupt_lzma2.xz“.

2. The bash script then carries out a more complex decode process on an additional “test” file, good-large_compressed.lzma, decoding it into another script.

3. That script then extracts a shared object, liblzma_la-crc64-fast.o, which is added to the compilation process of liblzma.

The backdoor is complex, consisting of multiple stages executed during the build process and the full capabilities and inner workings of the backdoor are still being analyzed by security researchers. The backdoor employs code obfuscation, anti-analysis and conditional execution methodology to avoid detection. The execution of the payload is itself a multi-step process:

1. The payload uses the GNU indirect functions (ifuncs) like a switchboard operator for a program. This allows a program to choose between different versions of a function at runtime. The intended use case for this is for situations where there are multiple possible implementations of a function, each optimized for a different type of hardware or a different set of system conditions. This decision is made very early on, even before the main part of the program is executed, which allows for a dynamic modification of the process execution. This is like deciding which tools you are going to use before you start building something. 

2. The payload uses audit hook modification. An audit hook is a tool that can change a program’s map GOT (Global Offset Table) of functions to memory addresses. This function is normally used for security purposes (to prevent buffer overflows), however in this case attackers can use it to redirect function calls to harmful code, even after the program has started and initial linking is done.  It’s like changing the directions on the map while someone is already on their way. This allows the attacker to change what the program does while it’s running.

In this case an audit hook is used to get visibility and control over the dynamic linking process that is required to trigger the backdoor, while ifunc provides the mechanism for conditional function redirection. Think of an ifunc as a traffic light which can redirect cars (functions) based on certain conditions. 

The combination of those allowed the attacker to load into the GOT while the table is still editable and replace the OpenSSL’s (open source toolkit for general-purpose cryptography and secure communication) function RSA_public_decrypt with the backdoored version. This function is used normally in OpenSSH to validate the key pre-authentication, however now instead points to the attacker’s own malicious code which verifies that the connection is coming from the Attacker (via asymmetric key exchange), and extracts the commands from the authenticating client’s certificate. This achieves full pre-authentication remote code execution by the attacker.

The Backdoor is triggered by connecting to the victim host with an SSH certificate, with a payload in the Certificate Authority (CA) signing key N value. The payload is encrypted using the attacker’s ED448 key.  When a certificate exchange occurs, the Backdoor will check to see if the certificate has been signed by the attacker, and if confirmed, will carry out the remaining steps. However, if the Backdoor fails to verify that the SSH certificate is the Attacker, the Backdoor will return to normal functionality, rendering the detection of this Backdoor even more difficult.

Once the Backdoor has verified that the SSH certificate is from the Attacker, the payload located in the CA signing key N value is decrypted. The command from the payload is then passed to system() and is executed as root. Thomas Roccia (Sr. Security Researcher at Microsoft) has prepared the following two graphics that break down the discovery and the execution of the backdoor.

Backdoor Impact

Executable binaries can be influenced by the libraries they are linked to. It is a common practice for developers to link executables to requisite libraries. In the case of Debian and numerous other Linux distributions, the sshd (Secure Shell Daemon – a background process that handles SSH connections) is linked to liblzma, which provides the XZ Utils with the capability to manipulate the behavior of sshd.

At present, the backdoor’s goal is to be integrated into the Secure Shell Daemon (sshd) on the susceptible system, thereby granting a remote attacker the capability to execute arbitrary code. This means that any system with the compromised package that has SSH exposed to the internet could be at risk to remote code execution with root privileges.

sshd process loading liblzma module (in this case non vulnerable 5.2.2 version) as seen on the Cybereason investigation screen (process element)

Module Names

One can use these module names to identify if the backdoor is present on the system:

• liblzma.so.5.6.0
• liblzma.so.5.6.1

Threat Actor Public Key

In order for the key exchange to take place, the attacker’s public key is located in the binary of the lzma file.

———————————————————————-

0a 31 fd 3b 2f 1f c6 92 92 68 32 52 c8 c1 ac 28

34 d1 f2 c9 75 c4 76 5e b1 f6 88 58 88 93 3e 48

10 0c b0 6c 3a be 14 ee 89 55 d2 45 00 c7 7f 6e

20 d3 2c 60 2b 2c 6d 31 00

———————————————————————

IOC Hash Signatures

Cybereason has compiled a list of over 60 SHA256 hash signatures associated with this vulnerability (This list is being updated and modified as our research continues).

• 9857b950b51a990daa51115049de85bda38c4138a74437e25b25528a010037ad
• 5c204962348dccd72ab597656284f0e4a9f30bad9b3382f08a90867b5a55e8ec
• cbeef92e67bf41ca9c015557d81f39adaba67ca9fb3574139754999030b83537
• 605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4
• cc7f01e2db474a80ef100ce028f1e5c8f2357ba1657ecb9310e9b8e62d3315ab
• 9b368d0ad8b3bda5eabfdf8a40944f4dd270955bab868da9a51beedcfde38699
• 5448850cdc3a7ae41ff53b433c2adbd0ff492515012412ee63a40d2685db3049
• 257fc477b9684863e0822cbad3606d76c039be8dd51cdc13b73e74e93d7b04cc
• df0c2424b48b3e388fe31b469ac95076bd82d5222efe9dc0ef3fffbaedef047d
• 84319e9ec82b654438d8c26d8a93e9e3197dff0d93265e30f961b200bbb27472
• 319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae
• fbfddd1e77b684e9d2d18017ae658b24402727551447f41db0ab882d4a0cac81
• ea7206ab4b0c3479ff1b478c8803adc9e7aeba243254a9f601b626ef8aa80e3d
• 2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8
• f19f29bbde3d6a6777fa7524179f68583a19278494019c289b6b9d59e5be9fd8
• c292bc94bb3a4d631ee458b22d633268e0a74733838f4b8638cd164bf150c9c5
• ecda10d8877d555dbda4a4eba329e146b2be8ac4b7915fb723eaacc9f89d16bd
• 9aef898229de60f94cdea42f19268e6e3047f7136f2ff97510390a2deeda7032
• f334777310ca3ae9ba07206d78ed286a655aa3f44eec27854f740c26b2cd2ed0
• 15b08cbaa49b6df580f81ef85d5dd4bcca4dac41daa87b47c67177707b697cb7
• 8d2922eab67169c01aca9b7c9813ff5c14b932ce70928ce7beac2945623d53b1
• d44d0425769fa2e0b6875e5ca25d45b251bbe98870c6b9bef34f7cea9f84c9c3
• 616e38159153b8aa2a98193ae5325597b8732443421c81d0a57bd878b2c6d2a8
• cf46bd09ff6164747f56e46d461f3375a1ff84803090bbbb15cd64651a83bd2e
• 20343851b9c3738355162ddd79e737a6f4c7f250b3e2a68cb8785a2fb8f84a78
• aaaaf9a12d38dac328c74b45a2e6ea43950c85ecb010406d4092594cd904edc3
• f85b92daf98845b2bd4ebac717a3572710c29ae8078033e865c6aec34faa60cc
• 677b4b22949b8ca64dd698d8076b7382f326b4508ea00c09971e7cc3c31011f5
• cdafe1632f139c82937cc1ed824f7a60b7b0a0619dfbbd681dcac02b1ac28f5b
• d300422649a0124b1121630be559c890ceedf32667d7064b8128933166c217c8
• 6ce46bb6b54dacb5061a0f98258554c5ea5dd859591e0411b9fbd1c7249d6d9d
• 99c0b4e40f458d2291cadc6e45f6fc590972ce7e66baf8d9cfcf34924aef7081
• 7cc78c6d753938c5165427f4a81ba018a762503c6b2230bd51cfdd7eb75607a5
• 77346180bc192be65078becc977d312ff17ddd74005cb33d6440fca119b55ae0
• 2ed51ae8764a177aa6401df935ecef3d103db1f72ac98a7c803cdc4869fd3d98
• b83ee6d62e5e159fa0a16fcad953862a1d567abc5c60aa35dc02aac7efc87870
• 2d1199d43bc7b9f53eb00d73d6812c70f5ff1b5b7eb079e7327d8c2feaf86159
• b418bfd34aa246b2e7b5cb5d263a640e5d080810f767370c4d2c24662a274963
• 844cb2e9b422e006fdaefe805d2608a5484f11512a8f7ba6e10e0f7448e155d8
• 0f5c81f14171b74fcc9777d302304d964e63ffc2d7b634ef023a7249d9b5d875
• 88c8631cefba91664fdc47b14bb753e1876f4964a07db650821d203992b1e1ea
• F50ee33bab6abc93164577ca80f111d77595659842920d04a4d22e184f675d14
• 8fa641c454c3e0f76de73b7cc3446096b9c8b9d33d406d38b8ac76090b0344fd
• ece869c6e359a650da3a82c8d26239bde4293a591c0d634815595129654665ae
• 1cba3e7d5230bb8651c993a91cc8ca13c168d01bdac88584f4a4e56f4787702f
• f66b3f06e64285ce9b3f0e4ace5a3d2f6486249e77f2c00b09e42dd54bd09178
• d3d58e1dd183ebb7974efa829af223c7acb8612657dd2d6d74501728e8fa00d2
• 6c4a1e1b7a776f9666eccfb0fb397576300c32f72090685c3b9bd61b534c8553
• fcd4d1ba8a4def4e7178c27513a2897001019722f131efe7c4f6b940f231071b
• e18a99f5a5846be04743c97ab3d32ee9a74e66e7e2be051b5baa1b403ddd37b6
• b0f95b124073faaac4415aefa4bb3985f287318efa8db702303f68dd650da349
• 6951628601014a762fc2dbef9f63ff6de3122c6d0178e16204762a981f573436
• 5d9f751a8311dab1c3fe3ec7ee8639cda5b451c305d58075f80e47ec8663e220
• 2ddaf2e210649fead0a0355179ea9b58bea44a2c964e313b9d8befa0b59c2726
• 4795af285619cebf434951d4c88e6b22a39783dcdcff678215e4999831b20c90
• 876a17247dd0be61925b062008145b703e9fe30bbfae24c7127017e9c7df4130
• 80c8afc89e842d739c0acc4eb30d4fe2963ce4b28915bee526092213328e92c6
• 237284fae40e5f8e9908f0a977e7d0b9a5c7c1c10a41b8e6ed0fb40e930467c8
• b30c9ccd07a486e5c69a19ccd9d32a7db5f3297a2b69e48fed77d9636b4745d3
• cb12626baf0271cc232a1525755ba054f20ae2ef51f52ffa9a8e1e77fbf8cd20
• 05fa6f90e75ae713aea5e514fc20709ee0d185a5006c37d044980943dd9227ab
• 7ac0ed933459a364993242498fc50782a34900462985c194494abb0718ac4347

ABOUT THE RESEARCHERS

Brian Fox, Security Operations Analyst at Cybereason

Brian is a senior Analyst with the Cybereason Global SOC Team. Brian’s primary focus is on Threat Hunting, Malware Analysis and Extended Detection and Response. Brian has a background in Mobile Forensics for the Irish Police Force and has been working in CyberSecurity for international security firms for over 2 years.

Ruslan Rustchev, Global SOC Manager EMEA at Cybereason

Ruslan is leading the Cybereason Global Security Operations Center team in EMEA and managing a team of analysts delivering Managed Detection and Response Service.

Cybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about Cybereason XDR powered by Google Chronicle, check out our Extended Detection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Source: https://www.cybereason.com/blog/threat-alert-the-xz-backdoor