Xz utility had backdoor

Rosika · April 13, 2024, 11:53am

Hi all,

I just noticed Germany´s Federal Office for Information Security (German: Bundesamt für Sicherheit in der Informationstechnik (see here), abbreviated as BSI, also
covered the topic.

According to the wikipedia the BSI is the German upper-level federal agency in charge of managing computer and communication security for the German government.
So any information retrieved from there should be reliable.

They provided a PDF file dealing with the subject.
It can be found here: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-223608-1032.pdf?__blob=publicationFile&v=3 .
It´s in German though.

The interesting part is:

The first tools and instructions have now been published with the help of which you can check the vulnerability of your own IT systems.
The backdoor signature can be detected using the YARA rule. (1)
IT systems can be checked locally for the presence of the backdoor (2)

Here are the links:

(1) YARA-Regel zu CVE-2024-3094, GitHub - byinarie/CVE-2024-3094-info: Information for CVE-2024-3094
(2) Skript zur Detektion von CVE-2024-3094, GitHub - cyclone-github/scripts: Scripts by cyclone to automate tasks
(2) CVE-2024-3094 Detector, GitHub - jfrog/cve-2024-3094-tools

Has anyone used any of these scripts yet

Cheers from Rosika

Rosika · April 13, 2024, 12:36pm

Hi again, Neville,

for the host:

Conky informs me my local IP address is 192.168.8.102.
This is the local IP address assigned to my system by my mobile network provider, right?
This address is within a private subnet range, which is typical for local network connections as far as I know.

So I guess this would me the right entry in my /etc/ssh/sshd_config

[...]
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 192.168.8.0
[...]

the rest of the configuration unchanged.

After applying the modification:

sudo systemctl restart sshd

I hope I got it right

Cheers from Rosika

nevj · April 13, 2024, 1:04pm

OK, I think I get it.
Your setup is different to mine.
You only have one local net… that provided by the mobile phone modem
I have two… the modem one, and a second ethernet with all computers and printers on it.

So yes, that is your local net, but it is also your side of the modem. I am not sure if
setting Listenaddress to that will restrict incoming ssh attempts.

Also, I had an afterthought in the shower.
You also have a virtiual network ( for Vm’s).
You would need to tell it to listen to that network too.

It mignt be simpler not to do this. Virt- manager and Boxes each have virtual networks. That is two more networks to allow.

I must admit it is a long time since I used
ListenAddress. Things have become more complicated since then. I vote we shelve it.

Rosika · April 13, 2024, 1:13pm

Hi Neville,

thanks for the feedback.

Yes, there seems to be a difference between your setup and mine.

Thanks for the confirmation.
I guess I´ll leave it the way it is right now for the moment.

Perhaps one of the three scripts (see my post #41) might be worth looking into.

Thanks again, Neville.
Many greetigs from Rosika

Rosika · April 13, 2024, 4:26pm

Hi all,

Update:

I ran one of the recommended test scripts (the 3rd on my list) on my Archlinux vm (taken from here).

After the download (and a thorough scan with clamav) I extracted it and ran
./cve-2024-3094-detector.sh
from the respective directory.

Here are the results:


      _  _  _  _  _  _  _  _  _  _  _  _       _  _  _  _       _  _  _
     (_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_) _  _(_)(_)(_)(_)_  _ (_)(_)(_) _
        (_)   (_)            (_)         (_)(_)          (_)(_)         (_)
        (_)   (_) _  _       (_) _  _  _ (_)(_)          (_)(_)    _  _  _
        (_)   (_)(_)(_)      (_)(_)(_)(_)   (_)          (_)(_)   (_)(_)(_)
 _      (_)   (_)            (_)   (_) _    (_)          (_)(_)         (_)
(_)  _  (_)   (_)            (_)      (_) _ (_)_  _  _  _(_)(_) _  _  _ (_)
 (_)(_)(_)    (_)            (_)         (_)  (_)(_)(_)(_)     (_)(_)(_)(_)

		CVE-2024-3094 detector by JFrog
 
Pre-flight Check
which: no xxd in (/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/home/arch/.local/bin)
 - xxd: MISSING 
✓ Pre-flight Check Passed

XZ vulnerable version: NO (5.6.1-3)
SSHD found in the system: YES (/usr/bin/sshd)
SSHD linked with LZMA: NO
LZMA vulnerable version: NO
  Specific Prologue byte pattern NOT matched
  Encoded Strings byte patterns NOT matched

- Malicious XZ/LZMA found: NO 
- ✓ SSHD not affected (not linked with LZMA) 
Conclusion: NOT VULNERABLE TO CVE-2024-3094

Well, I knew about the installed version of xz. So that was a given.

But all in all it looks good, I think.

Cheers from Rosika

nevj · April 14, 2024, 9:57am

Hi Rosika,
This sshd_config issue will not go away. I slept on it last night, and this morning awoke with what I think is a way to do it for your network.
Your network is 192.168.8.0. Lets assume you have 2 machines
192.168.8.1 and 192.168.8.2.
What you can do is allow access from the 2 machines individually ( instead of allowing it for the whole network) so

ListenAddress 192.168.8.1    machine 1
ListenAddress 192.168.8.2    machine 2
dont give a listenaddress for the modem
ListenAddress 192.168.122.0   virt-manager virtual network
ListenAddress  10.0.2.0  gnome-boxes virtual network

You can put as many ListenAdddress lines as you want, it does all of them
and disallows everything else.

So, solved, but we probably dont want to do it anyway. Its just nice to know how.

Regards
Neville

Rosika · April 14, 2024, 12:07pm

Hi Neville,

Oh dear. I´m so sorry. I didn´t mean to give you sleepless nights over it.
But thanks a lot for thinking so much about it.

O.K, I have just one machine (my PC) in the network,

So - if I understand you correctly - the /etc/ssh/sshd_config file should look like this:

[...]
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 192.168.8.102
ListenAddress 192.168.122.0
ListenAddress  10.0.2.0
[...]

Thanks a lot .

Right.
But - just out of interest - what would it refer to?
Would it be 192.168.8.0 for the whole network?

Thanks again for your help, Neville.

Cheers from Rosika

nevj · April 14, 2024, 12:51pm

No not the network.
It is the IP number you use when you connect your browser to the modem to do admin commands.
Maybe connman would tell you what is is, or look in the modem manual.

No not sleepless.
I have this strange ability to go to sleep with a problem and wake with the solution.
It is the Holy Spirit working.

Rosika · April 14, 2024, 12:58pm

Hi again, Neville,

Wow, that great.
I wish I had this ability (at least part of it).

Sorry, I seem to have misunderstood.

Ah, I guess that should be 192.168.8.1 in my case:

Right, I won´t give a listeaddress to that.

Thanks a lot, Neville.

Many greetings from Rosika

nevj · April 14, 2024, 1:08pm

Right, leave it out… the same as you leave out every other
address on the internet. Then nothing can use your sshd except your computer.and your VM’s.
I thought you had a laptop too?

Rosika · April 14, 2024, 1:18pm

Yes, you´re right, Neville.

But I don´t usually run it in the same network as my main PC.
Mostly - when doing updates, and if I don´t have enough data available using the stick - I do the updates for the laptop via smartphone tethering.

But now that I come to think of it, you are right.
I should put the laptop´s IP address in /etc/ssh/sshd_config. Just in case.

At times I might want to access the internet from the laptop via the hotspot I configured for the PC.

Thanks for reminding me of it.
Cheers from Rosika

nevj · April 14, 2024, 1:22pm

If you change anything, you have to remember to update
the sshd_config. Otherwise things will mysteriously stop working.

Rosika · April 14, 2024, 1:24pm

Thanks Neville,

You mean by executing the command sudo systemctl restart sshd, right

nevj · April 14, 2024, 1:39pm

Hi Rosika,
Sorry , I did not explain properly.
I mean if you change any IP numbers, you need to edit
the sshd_config file.
Its a trap. It is easy to forget.

Regards
Neville

Rosika · April 14, 2024, 1:44pm

I see, Neville.
Thanks for the clarification. It´s highly appreciated.

Many greetings from Rosika

don.karon · April 15, 2024, 2:02pm

Certain groups of IP addresses are reserved for specific uses. The address range 192.168.0.0–192.168.255.255 is for communications within a private network. They do not come from your internet provider. They may be assigned by your router or you can assign them manually.

Don

Rosika · April 15, 2024, 2:12pm

Hi Don,

thanks a lot for the additional information and the very informative link.
Much appreciated.

Many greetings from Rosika

nevj · April 15, 2024, 5:58pm

Hi Don,
Are you saying that if the modem has an address within
this range, then a packet coming from that address can not have originated from the internet?
I thought that , because of IP masquerading, a package
originating from the internet could appear to come from the modem address? Am I wrong there?

Regards
Neville

don.karon · April 15, 2024, 7:16pm

Yes, as best I understand it you are correct: a packet in that address range can only come from within your network. Inbound traffic from the internet sees only your public IP address.

But who knows what hackers can do these days?

don.karon · April 15, 2024, 7:31pm

It’s your router that assigns the 192.168.x.x addresses. I don’t think an outside computer can specify a specific address that falls within the reserved list.