This repository contains a Bash script and a one-liner command to verify if a system is running a vulnerable version of the "xz" utility, as specified by CVE-2024-3094.
See the description and impact statement below from information available via RedHat https://access.redhat.com/security/cve/CVE-2024-3094:
"Malicious code was identified in the upstream tarballs of "xz" starting from version 5.6.0. This code involves a complex method where the build process of liblzma extracts a prebuilt object file from a disguised test file within the source code. This file is then utilized to alter specific functions within the liblzma code, leading to a compromised liblzma library. Any software linked against this modified library may intercept and alter data interactions with the library, potentially exposing systems to security risks.
The investigation to date reveals that the impacted packages are confined to Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. No Red Hat Enterprise Linux (RHEL) versions are affected by this issue.
The vulnerability stems from malicious injection found in xz versions 5.6.0 and 5.6.1, specifically within the tarball download package. The Git distribution does not include the M4 macro responsible for triggering the build of the malicious code. However, the Git repository does contain second-stage artifacts intended for injection during build time if the malicious M4 macro is present. Absent integration into the build, these 2nd-stage files are harmless. Demonstrations of the vulnerability revealed interference with the OpenSSH daemon, which, while not directly linked to the liblzma library, interacts with systemd in a manner that makes it susceptible to the malware, given systemd's linkage to liblzma."
Background Information on About the xz backdoor - https://kali.org blog article
"The xz-utils package, starting from versions 5.6.0 to 5.6.1, was found to contain a backdoor (CVE-2024-3094). This backdoor could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized access to the entire system remotely.
With a library this widely used, the severity of this vulnerability poses a threat to the entire Linux ecosystem. Luckily, this issue was caught quickly so the impact was significantly less than it could have been. It has already been patched in Debian, and therefore, Kali Linux.
The impact of this vulnerability affected Kali between March 26th to March 29th, during which time xz-utils 5.6.0-0.2 was available. If you updated your Kali installation on or after March 26th, but before March 29th, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability."
The following Bash script and one-liner command can be used to check if your system is affected by CVE-2024-3094:
command -v xz &>/dev/null && xz_version=$(xz --version | head -n 1 | awk '{print $4}') && { [[ $xz_version == "5.6.0" || $xz_version == "5.6.1" ]] && echo -e "\n[*] This system seems to be VULNERABLE to CVE-2024-3094 since it has a vulnerable version of xz\n\nLearn more about this CVE on this link:\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3094" || echo -e " \n[*] This system DOES NOT SEEM to be vulnerable to CVE-2024-3094."; } || echo "[-] xz package is not installed."Verification suggested by About the xz backdoor - https://kali.org blog article
How to check manually for an affected Kali Linux version?
"apt-cache policy liblzma5"
kali@kali:~$ apt-cache policy liblzma5
liblzma5:
Installed: 5.4.5-0.3
Candidate: 5.6.1+really5.4.5-1
Version table:
5.6.1+really5.4.5-1 500
500 http://kali.download/kali kali-rolling/main amd64 Packages
*** 5.4.5-0.3 100
100 /var/lib/dpkg/statusIf we see the version "5.6.0-0.2" next to Installed: then we must upgrade to the latest version, "5.6.1+really5.4.5-1". We can do this with the following commands:
Command for addressing the issue with the vulnerable package in Kali Linux:
"sudo apt update && sudo apt install -y --only-upgrade liblzma5"