The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

The amazingly scary xz sshd backdoor

Published: 2024-04-01

Last Updated: 2024-04-01 15:25:33 UTC

by Bojan Zdrnja (Version: 1)

Unless you took the whole weekend off, you must have seen by now that Andres Freund published an amazing discovery on Friday on the Openwall mailing list (https://www.openwall.com/lists/oss-security/2024/03/29/4).

The whole story around this is both fascinating and scary – and I’m sure will be told around numerous time, so in this diary I will put some technical things about the backdoor that I reversed for quite some time (and I have a feeling I could spend 2 more weeks on this).

There is also a nice gist by smx-smx here that gets updated regularly so keep an eye there as well.

The author(s) of the backdoor went a long way to make the backdoor look as innocent as possible. This is also why all the reversing effort is taking such a long(er) time. Let’s take a look at couple of fascinating things in this backdoor.

String comparison

One of the first things a reverse engineer will do is to search for strings in the code they are looking at. If strings are visible, they can usually tell a lot about the target binary. But if we take a look at the library (and for this diary I am using the one originally sent by Andres) we will see practically no visible strings.

The authors decided to obfuscate all strings – in order to do that, they stored strings as a radix tree (also known as prefix tree or trie, more info at https://en.wikipedia.org/wiki/Radix_tree). This allows them to store all strings as obfuscated, however now one of the challenges they had was to lookup strings – they implemented a function that checks whether a string exists in the radix tree table, and if it does, it returns back the offset ...

Read the full entry:

https://isc.sans.edu/diary/The+amazingly+scary+xz+sshd+backdoor/30802/

The xz-utils backdoor in security advisories by national CSIRTs

Published: 2024-04-01

Last Updated: 2024-04-02 06:24:29 UTC

by Jan Kopriva (Version: 1)

For the last few days, the backdoor in xz-utils has been among the main topics of conversation in the global cyber security community.

While it was discovered before it made its way into most Linux distributions and its real-world impact should therefore be limited, it did present a very real and present danger. It is therefore no surprise that it was quickly covered by most major news sites devoted to information and cyber security.

However, since the first information about existence of the backdoor was published on Friday 29th, which was a public holiday in many countries around the world, and the same may be said of today, it is conceivable that some impacted organizations and individuals might not have learned about the danger from these news sites, as they might only monitor advisories from specific sources – such as national or governmental CSIRTs – during the holidays.

Fast response from national or governmental CSIRTs, or other, similar organizations, in situations like these can therefore be of paramount importance. Consequently, it occurred to me that the current situation might present a good opportunity for a quick analysis to see how many national or governmental CSIRTs/their host organizations/similar entities (e.g., national coordination centers, multi-national or regional CSIRTs, etc.) publish up-to-date warnings and advisories even during holidays.

I have therefore gone over the FIRST membership list[7], which includes (among many other teams) a large percentage of national and/or governmental CSIRTs from around the globe, and identified 105 teams which have a national or governmental constituency and which might therefore possibly function as an “early warning system” for a specific country, region or nation. I have then gone through the official websites of these teams to see which ones did warn about the xz-utils backdoor and when.

The results were interesting, and – at least to me – somewhat surprising. At the time of writing, only 11 (e.g., approximately 10.5%) of the 105 teams/organizations had published an advisory covering the existence of the backdoor. Four of them did so on March 29th, the same day when the existence of the backdoor was first made public, six of them did so the next day – on Saturday 30th – and one did so three days later, on Monday 1st ...

Read the full entry:

https://isc.sans.edu/diary/The+xzutils+backdoor+in+security+advisories+by+national+CSIRTs/30800/

Checking CSV Files (2024.03.31)

https://isc.sans.edu/diary/Checking+CSV+Files/30796/

Wireshark 4.2.4 Released (2024.03.31)

https://isc.sans.edu/diary/Wireshark+424+Released/30794/

Quick Forensics Analysis of Apache logs (2024.03.29)

https://isc.sans.edu/diary/Quick+Forensics+Analysis+of+Apache+logs/30792/

From JavaScript to AsyncRAT (2024.03.28)

https://isc.sans.edu/diary/From+JavaScript+to+AsyncRAT/30788/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2024-3094 - xz is vulnerable to malicious code injection via disguised test files in the source code, leading to modification of liblzma functions and potential interception of data interactions.Product: Tukaani xzCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3094ISC Diary: https://isc.sans.edu/diary/30800ISC Podcast: https://isc.sans.edu/podcastdetail/8918NVD References: - https://www.openwall.com/lists/oss-security/2024/03/29/4- https://access.redhat.com/security/cve/CVE-2024-3094- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users- https://bugzilla.redhat.com/show_bug.cgi?id=2272210- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024- https://bugs.gentoo.org/928134- https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094CVE-2024-2389 - Flowmon is vulnerable to an operating system command injection flaw, allowing unauthenticated users to execute arbitrary commands via the management interface.Product: FlowmonCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2389ISC Podcast: https://isc.sans.edu/podcastdetail/8922NVD References: - https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability- https://www.flowmon.comCVE-2024-0980 - Okta Verify for Windows is vulnerable to two flaws allowing for arbitrary code execution.Product: Okta VerifyCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-0980ISC Podcast: https://isc.sans.edu/podcastdetail/8916NVD References: https://trust.okta.com/security-advisories/okta-verify-windows-auto-update-arbitrary-code-execution-cve-2024-0980CVE-2023-23656 - MainWP File Uploader Extension allows for unrestricted upload of files with dangerous types, posing a security risk from versions n/a through 4.1.Product: MainWP File Uploader ExtensionCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23656NVD References: https://patchstack.com/database/vulnerability/mainwp-file-uploader-extension/wordpress-mainwp-file-uploader-extension-plugin-4-1-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2023-28787 - Quiz And Survey Master is vulnerable to an SQL Injection issue in versions up to 8.1.4, allowing attackers to manipulate SQL queries and potentially access or modify sensitive data.Product: ExpressTech Quiz And Survey MasterCVSS Score: 9.3NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28787NVD References: https://patchstack.com/database/vulnerability/quiz-master-next/wordpress-quiz-and-survey-master-plugin-8-1-4-unauthenticated-sql-injection-vulnerability?_s_id=cveCVE-2023-29386 - Julien Crego Manager for Icomoon allows for unrestricted file uploads of dangerous types.Product: Julien Crego Manager for IcomoonCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29386NVD References: https://patchstack.com/database/vulnerability/manager-for-icomoon/wordpress-manager-for-icommon-plugin-2-0-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2023-38388 - Unrestricted Upload of File with Dangerous Type vulnerability in Artbees JupiterX Core.This issue affects JupiterX Core: from n/a through 3.3.5.Product: Artbees JupiterX CoreCVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38388NVD References: https://patchstack.com/database/vulnerability/jupiterx-core/wordpress-jupiter-x-core-plugin-3-3-0-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2023-47842 - Unrestricted Upload of File with Dangerous Type vulnerability in Zachary Segal CataBlog.This issue affects CataBlog: from n/a through 1.7.0.Product: Zachary Segal CataBlogCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47842NVD References: https://patchstack.com/database/vulnerability/catablog/wordpress-catablog-plugin-1-7-0-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2023-47846 - Terry Lin WP Githuber MD is vulnerable to unrestricted upload of file with dangerous type, affecting versions from n/a through 1.16.2.Product: Terry Lin WP Githuber MDCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47846NVD References: https://patchstack.com/database/vulnerability/wp-githuber-md/wordpress-wp-githuber-md-plugin-1-16-2-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2023-47873 - WP Child Theme Generator allows for unrestricted upload of files with dangerous types, leaving it vulnerable to attacks from n/a through version 1.0.9.Product: WEN Solutions WP Child Theme GeneratorCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47873NVD References: https://patchstack.com/database/vulnerabili…