Not SimonApr 22, 2024

Elaastic on CVE-2024-3094 πŸ”— https://discuss.elastic.co/t/elastic-security-statement-for-cve-2024-3094-xz-versions-5-6-0-and-5-6-1/357894

On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package. Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue.

#CVE_2024_3094 #xz #xzbackdoor #supplychainattack

Elastic Security Statement for CVE-2024-3094, xz versions 5.6.0 and 5.6.1

Elastic Products are not affected by this issue. On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package. Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue. Reference Links: oss-security - backdoor in upstream xz/liblzma leading to ssh server...

Discuss the Elastic Stack
Show threadNot SimonApr 12, 2024

Kaspersky provides a timeline of events leading to the discovery of the backdoor in XZ Utils data compression library which is included in Linux distributions. They offer an analysis of Stage 1 (the modified build-to-host script), Stage 2 (injected shell script) and Stage 3 (backdoor extraction). Kaspersky also provides backdoor code analysis and explanation of system checks and structure. IOC and Yara rules provided. πŸ”— https://securelist.com/xz-backdoor-story-part-1/112354/

cc: @shellsharks

#CVE_2024_3094 #xz #xzbackdoor #supplychainattack

XZ backdoor story - Initial analysis

Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.

Kaspersky
Show threadNot SimonApr 11, 2024

Phylum warns that the distribution v0.3.2 for liblzma hosted on crates.io contained test files for XZ which contain the backdoor. While affected versions of the liblzma and liblzma-sys crates were yanked from crates.io, the crates were downloaded over 5,000 times.πŸ”— https://blog.phylum.io/rust-crate-shipping-xz-backdoor/ cc: @shellsharks

#xz #XZbackdoor #cve_2024_3094 #supplychainattack

Rust crate shipping xz backdoor

By now, news of the malicious backdoor in the XZ Utils compression library has been widely circulated. Though the potential damage appears to have been largely mitigated by the heroic work of a single engineer, aftershocks of this attack remain. Today’s brief offering concerns one such that Phylum found

Phylum
Show threadNot SimonApr 10, 2024

SentinelOne has a technical breakdown of the XZ backdoor: Initial setup, stage 1 payload (system checks and extraction) and stage 2 payload (injecting the backdoor). They provide an analysis of the attack execution, and briefly touch on attribution. IOC are included. πŸ”— https://www.sentinelone.com/blog/xz-utils-backdoor-threat-actor-planned-to-inject-further-vulnerabilities/

#xz #CVE_2024_3094 #supplychainattack #xzbackdoor #thratintel #IOC

XZ Utils Backdoor | Threat Actor Planned to Inject Further Vulnerabilities

Analysis suggests that CVE-2024-3094, a backdoor deliberately planted into XZ Utils, may have been only the first on the threat actor's agenda.

SentinelOne
Show threadNot SimonApr 8, 2024

Uptycs posts a comprehensive guide on the XZ Utils vulnerability CVE-2024-3094. This is the first guide I've seen with SHA256 hashes. πŸ”— https://www.uptycs.com/blog/xz-utils-backdoor-vulnerability-cve-2024-3094

#xz #cve_2024_3094 #supplychainattack

XZ Utils Backdoor Vulnerability (CVE-2024-3094): Comprehensive Guide

Explore the background, impact & mitigation steps for CVE-2024-3094, an XZ Utils backdoor affecting Linux & macOS: learn steps for detection & mitigation.

Florian SchmidtApr 4, 2024

reflections on distrusting xz

"Was the ssh backdoor the only goal that "Jia Tan" was pursuing with their multi-year operation against xz?

I doubt it, and if not, then every fix so far has been incomplete, because everything is still running code written by that entity."
https://joeyh.name/blog/entry/reflections_on_distrusting_xz/
#xz #XzBackdoor #xzorcist #cve_2024_3094

reflections on distrusting xz

Show threadNot SimonApr 3, 2024

New York Times: "Did One Guy Just Stop a Huge Cyberattack?" See how a Microsoft engineer gained instant stardom using this one weird trick! (only because ssh was running 500ms slower) πŸ”— https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html
Congratulations on your newfound fame (and thank you, sincerely) @AndresFreundTec

#xz #CVE_2024_3094 #supplychainattack

Did One Guy Just Stop a Huge Cyberattack?

A Microsoft engineer noticed something was off on a piece of software he worked on. He soon discovered someone was probably trying to gain access to computers all over the world.

The New York Times
Show threadNot SimonApr 2, 2024

The CEO of Phylum talks about the background of the XZ compromise and backdoor, and the challenges of open source software supply chain security. πŸ”— https://blog.phylum.io/xz-liblzma-backdoor-supply-chain-attack/

#cve_2024_3094 #xz #supplychainattack

The xz/liblzma Compromise and Software Supply Chain Security

At the end of March 2024, a major software supply chain attack was identified: some upstream forks of the popular xz/liblzma library that underpins the massively popular OpenSSH Server was compromised. A rogue contributor appears to have worked to influence the maintainers of the library, adding in seemingly innocuous

Phylum
Taggart Apr 2, 2024
One thing I haven't seen stated explicitly about #CVE_2024_3094: The engineer who found this is a Microsoft employee. Does that mean Microsoft runs the vulnerable configuration? Given that it isn't that common, could we reasonably deduce that Microsoft was a target?

Update: No; I'm just slow.

I misunderstood the nature of the systemd-ssh injection, which would have impacted any distro using systemd and sshd.
Show threadNot SimonApr 2, 2024

Microsoft tech community has a Frequently Asked Questions and guidance for the XZ Utils backdoor (CVE-2024-3094). They provide guidance on using Microsoft products to assess exposure to CVE_2024-3094, e.g. Microsoft Defender Vulnerability Management, and Defender for Cloud and advanced hunting queries.πŸ”— https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/microsoft-faq-and-guidance-for-xz-utils-backdoor/ba-p/4101961

#CVE_2024_3094 #xz #supplychainattack

Microsoft FAQ and guidance for XZ Utils backdoor

Latest information about XZ Utils vulnerability and guidance on how to assess your potential exposure.

TECHCOMMUNITY.MICROSOFT.COM