On CVE-2024-3094 (XZ Utils) and why the sky is not falling

On CVE-2024-3094 (XZ Utils) and why the sky is not falling

One word of advice: Relax.

By now, you've heard about CVE-2024-3094 enabling a backdoor in some versions of OpenSSH enabled through infecting XZ Utils versions 5.6.0 and 5.6.1.

No. The sky is not falling.

Contrary to the broad majority of articles circulating on this particular topic at the moment, I'm writing this short post to point out why the 'sky is not falling' , and why you most likely don't have to pull together your task force for a weekend of emergency patching.

This is a backdoor secured by a lock. It's not a vulnerability. That is an important difference.

No. Any service depending on XZ Utils are not a potential attack vector; No. It's not comparable to the Log4j vulnerability in terms of criticality; No. It can't be used by any threat actors aware of the backdoor's existence.

As this is a backdoor protected by a lock and not a vulnerability, it's not sufficient to merely know about the existence of the backdoor. In order to 'use' the backdoor you need the secret (private) 'key' to unlock it.

Only by having access to the private encryption key of the original backdoor author, threat actors may perform the encryption required to have their commands approved and executed on infected targets. Anything else will fail - that is - unless there's a vulnerability in the backdoor itself of course.

The risk is 'low'

So, even if you are running OpenSSH servers infected with this backdoor, and even if you are exposing your vulnerable SSH-services directly towards the Internet, and even with threat actors now fully aware of the technical details of the backdoor in XZ, you're most likely not at risk.

The exception is if the original author of the backdoor, in possession of the secret (private) key chooses to target you. Now, most of the cyber security community agrees on the fact that the level of sophistication involved in the creation and positioning of this backdoor, indicates - with a high degree of confidence - that we're dealing with a Nation State grade threat actor. Most likely you're not on their target list. If you are - well then CVE-2024-3094 should probably be the least of your worries.

To summarise:

  1. The private key required to use the backdoor is not currently known.
  2. There's no public knowledge about a 'vulnerability' in the backdoor itself.

Hence, none of the current public proof of concepts or tools released will enable 'unauthorised' use of the backdoor.

Relax, but do patch.

By patching you remove the risk of the scenarios where the author key gets leaked or an exploitable vulnerability in the backdoor is discovered. These scenarios will be a much worse situation then our current situation, as now 'everyone' may use the backdoor on servers you expose, to establish a beachhead to further compromise and attack your organisation.

For technical details please read

https://openwall.com/lists/oss-security/2024/03/29/4

- its still the best and most accurate source.

Stay safe!