Check if you're vulnerable to CVE-2024-3094

CVE-2024-3094 is the new hot one and it’s extremely critical; however, impact should be limited as most normal linux distros are unaffected. Here’s some stuff to know:

Here’s the main links from different providers:

  1. Red Hat (stable not vulnerable): https://access.redhat.com/security/cve/cve-2024-3094#cve-cvss-v3

  2. Debian (stable not vulnerable): https://security-tracker.debian.org/tracker/CVE-2024-3094

  3. Suse (stable not vulnerable): https://www.suse.com/security/cve/CVE-2024-3094.html

  4. Kali (Impacted but exploit not confirmed): https://pkg.kali.org/pkg/xz-utils

  5. Arch (Impacted but exploit not confirmed): https://archlinux.org/packages/?sort=&q=xz&maintainer=&flagged=. But debateable if it was exploited: https://x.com/The_Nikomo/status/1773834629566361719?s=20

  6. Homebrew (Impacted but probably not exploitable): https://x.com/bcrypt/status/1773792762908786770?s=20

  7. FreeBSD (not impacted): https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

  8. Amazon Linux (not impacted): https://aws.amazon.com/security/security-bulletins/AWS-2024-002/

Now the summary:

  1. The upstream package XZ (shows up as xz-utils in package managers) has been compromised via a supply chain take over that sets up a backdoor

  2. Affected versions are 5.6.0 and 5.6.1. The latest Ubuntu 23.10 uses 5.4.1, only the development version had this and it’s been downgraded, see here for Ubuntu. Similarly, no versions of RHEL are using the latest xz versions, see here for RedHat.Here for SUSE. Kali and Arch were impacted. Kali was 03-26 - see here for Kali. Arch was 02-24 - see here for Arch

  3. The easiest way to check is to just use your linux package manager to see what version you’re on, but you can also use the script shared in the disclosure which more granularly checks for the vulnerable function existing in the library used by sshd, script found here at the bottom: here at the bottom. I’ve also added instructions on how to do this below.

  4. Really this is scarier because of what it implies about upstream security risks and how quickly things can propagate downstream if they’re not detected.

Check if you’re impacted

Shell script taken from here: here at the bottom.

  1. nano detect.sh
  2. Paste Below Code and save and quit
#! /bin/bash

set -eu

# find path to liblzma used by sshd
path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"

# does it even exist?
if [ "$path" == "" ]
then
	echo probably not vulnerable
	exit
fi

# check for function signature
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410
then
	echo probably vulnerable
else
	echo probably not vulnerable
fi
  1. chmod +x detect.sh
  2. ./detect.sh
  3. Optional Cleanup: rm detect.sh
member photo member photo member photo member photo member photo

Get Started now

Be part of the product security movement today.

See the List Contact Us
The Cloud Security List