🎉 Celebrate with us on December 11 for a special anniversary episode of runZero Hour! Register Now

On This Page:

  1. Latest CVE-2024-3094 (XZ Utils backdoor) coverage
  2. What is the impact?
  3. Are updates or workarounds available?
  4. How to find potentially affected systems with runZero

How to find systems impacted by CVE-2024-3094 (XZ Utils backdoor)

HD Moore
Rob King
Tom Sellers
|
Updated

Latest CVE-2024-3094 (XZ Utils backdoor) coverage #

Andres Freund discovered a malicious backdoor in a recent revision of the XZ Utils package. This backdoor was introduced by a threat actor who spent years building trust in the open source community before taking over maintenance of the XZ Utils project. After gaining access as a maintainer, the threat actor introduced the malicious code in multiple obfuscated steps. This backdoor could allow the threat actor to run arbitrary commands without authentication through the OpenSSH daemon.

CVE-2024-3094 is rated critical with CVSS score of 10.0.

An overview of this issue can be found at ArsTechnica.

Russ Cox published a detailed timeline.

What is the impact? #

Successful exploitation of this backdoor would allow the actor responsible to run arbitrary system commands without authentication.

Anthony Weems built a fantastic proof-of-concept and demo kit for reproducing the backdoor.

Are updates or workarounds available? #

This backdoor was enabled when a build was run on an x86_64 (amd64) system that was building a Debian "DEB" or Red Hat "RPM" package. The issue was caught prior to widespread release and the list of affected distributions is small as a result.

The following distributions shipped a combination of packages that resulted in a backdoored SSH daemon:

Additional information about this issue can be found across the web and in various distribution-specific trackers:

How to find potentially affected systems with runZero #

The runZero team is investigating whether a direct check against SSH is possible.

In the meantime, we suggest using this runZero Service Inventory query:

_asset.protocol:ssh protocol:ssh (banner:="SSH-2.0-OpenSSH_9.6" OR banner:="SSH-2.0-OpenSSH_9.6p1%Debian%" OR banner:="SSH-2.0-OpenSSH_9.7p1%Debian%")

This query is based on the following logic:

1. Identify any instances of Fedora Rawhide or OpenSUSE Tumbleweed & MicroOS in your environment. The easiest way to find potentially affected installations is to look for OpenSSH servers running version 9.6, which is a recent release specific to those rolling distributions.

2. Identify any instances of Debian or Kali rolling builds. The easiest way to do this is by looking for recently-released (9.6 & 9.7) Debian-flavored OpenSSH services, as these packages were shipped in the Debian unstable and Kali Linux rolling releases.

Written by HD Moore

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More about HD Moore

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find Citrix Virtual Apps and Desktops software on your network
Citrix has released an advisory for two vulnerabilities affecting Citrix Virtual Apps and Desktops software.
Read More
Rapid Response
How to find FortiManager instances on your network
How to find FortiManager instances on your network using runZero
Read More
Rapid Response
How to find SolarWinds Web Help Desk services on your network
CISA has announced that CVE-2024-28987 is actively being exploited in SolarWinds' Web Help Desk software. Here's how to find potentially affected...
Read More
Rapid Response
How to find SuperMicro BMCs
Supermicro released a vulnerability advisory for a critical CVE that allows for remote code execution (CVE-2024-36435). Here's how to find impacted...
Read More

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Try It Free
© Copyright 2024 runZero, Inc. All Rights Reserved