Vulnerability in XZ Utils could allow remote code execution


MS-ISAC NOTICE NUMBER:

2024-033

ISSUE DATE(S):

03/29/2024

PREVIEW:

A vulnerability has been discovered in XZ Utils that could allow remote code execution. XZ is a general-purpose data compression format found in almost all Linux distributions, whether community projects or commercial product distributions. Successful exploitation of this vulnerability could allow remote code execution in the context of the logged in user. Depending on the privileges associated with the user, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer rights on the system might be less affected than those who operate with administrative user rights.

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • XZ Utils versions 5.6.0 and 5.6.1 for Linux

RISK:

Government:

Large and medium government entitiesHIGH

Small governmentMEDIUM

Companies:

Large and medium business entitiesHIGH

Small business entitiesMEDIUM

TECHNICAL SUMMARY:

A vulnerability has been discovered in XZ Utils that could allow remote code execution. The details of the vulnerability are as follows:

Tactical: Initial Access (TA0001):
Technical: Supply Chain Compromise (T1195):

  • A supply chain compromise in XZ packages could enable remote code execution. The malicious version interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting to systems remotely, and sshd is the service that allows access. Under the right circumstances, this interference could potentially allow a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely. (CVE-2024-3094)

Successful exploitation of this vulnerability could allow remote code execution in the context of the user. Depending on the privileges associated with the user, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Users configured to have fewer rights on the system might be less affected than those operating with administrative user rights.

RECOMMENDATIONS:

We recommend that the following actions be taken:

  • Restore XZ Utils to a version earlier than 5.6.x. (M1051: software update, M1042: disabling or removing a feature or program)
    o Backup 4.8: Uninstall or disable unnecessary services on company assets and software: Uninstall or disable unnecessary services on company assets and software, such as a file sharing service, module web application or unused service function.
    o Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
    o Backup 7.4: Perform automated application patch management: Perform application updates to enterprise assets via automated patch management on a monthly or more frequent basis.

  • Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Management of privileged accounts)
    o Backup 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
    o Backup 5.4: Restrict admin privileges to dedicated admin accounts: Restrict admin privileges to dedicated admin accounts on company assets. Conduct general computing activities, such as browsing the Internet, emailing, and using the Productivity Suite, from the user's primary, non-privileged account.

  • Perform a vulnerability scan to find potentially exploitable software vulnerabilities (M1016: Vulnerability Scanning)
    o Safeguard 16.1: Establish and maintain a secure application development process: Establish and maintain a secure application development process. During the process, address things like: secure application design standards, secure coding practices, developer training, vulnerability management, third-party code security, and application security testing procedures . Review and update documentation annually or when significant changes within the business occur that could impact this protection.
    o Safeguard 16.2: Establish and maintain a process for accepting and addressing software vulnerabilities: Establish and maintain a process for accepting and handling reports of software vulnerabilities, including providing a means for external entities to report them. The process should include elements such as: a vulnerability management policy that identifies the reporting process, the party responsible for processing vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity assessments and metrics to measure the timeline for vulnerability identification, analysis, and remediation. Review and update documentation annually or when significant changes within the business occur that could impact this protection. Third-party application developers should view this as an outward-facing policy that helps set the expectations of external stakeholders.
    o Backup 16.3: Perform root cause analysis of security vulnerabilities: Perform root cause analysis of security vulnerabilities. When investigating vulnerabilities, root cause analysis involves assessing the underlying issues that create vulnerabilities in the code and allows development teams to go beyond simply fixing individual vulnerabilities as they arise. that they occur.
    o Backup 16.4: Establish and manage an inventory of third-party software components: Establish and manage an updated inventory of third-party components used in development, often called a bill of materials, as well as components planned for future use. This inventory must include the risks that each third-party component could present. Evaluate the list at least monthly to identify any changes or updates to these components and verify that the component is still supported.

  • Inform and educate users about the threats posed by hyperlinks contained in emails or attachments, especially from untrusted sources. Remind users not to visit untrustworthy websites or follow links provided by unknown or untrustworthy sources. (M1017: User training)
    o Safeguarding 14.1: Establish and maintain a security awareness program: Establish and maintain a security awareness program. The goal of a security awareness program is to educate company personnel on how to interact with company assets and data securely. Organize training upon hiring and, at a minimum, once a year. Review and update the content annually or when significant changes within the business occur that could impact this protection.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

CISA publishes seven advice on industrial control systemsCISA publishes seven advice on industrial control systems

CISA publishes seven advice on industrial control systems

July 1, 2025
Several vulnerabilities in Citrix products could allow the disclosure of sensitive dataSeveral vulnerabilities in Citrix products could allow the disclosure of sensitive data

Several vulnerabilities in Citrix products could allow the disclosure of sensitive data

June 27, 2025

You may have missed

CISA publishes seven advice on industrial control systemsCISA publishes seven advice on industrial control systems

CISA publishes seven advice on industrial control systems

July 1, 2025
Several vulnerabilities in Citrix products could allow the disclosure of sensitive dataSeveral vulnerabilities in Citrix products could allow the disclosure of sensitive data

Several vulnerabilities in Citrix products could allow the disclosure of sensitive data

June 27, 2025
CISA publishes five advice from industrial control systemsCISA publishes five advice from industrial control systems

CISA publishes five advice from industrial control systems

June 17, 2025
Ransomware actors use unrefined surveillance and remote management to compromise the provider of public services billing softwareRansomware actors use unrefined surveillance and remote management to compromise the provider of public services billing software

Ransomware actors use unrefined surveillance and remote management to compromise the provider of public services billing software

June 12, 2025
Several vulnerabilities in Adobe products could allow an arbitrary code executionSeveral vulnerabilities in Adobe products could allow an arbitrary code execution

Several vulnerabilities in Adobe products could allow an arbitrary code execution

June 10, 2025
Cisa publishes four reviews of industrial control systemsCisa publishes four reviews of industrial control systems

Cisa publishes four reviews of industrial control systems

June 10, 2025