Embedded Malicious Code Affecting liblzma-sys package, versions <0.3.2


Severity

0.0
critical
0
10

    Threat Intelligence

    Social Trends
    Exploit Maturity
    Mature
    EPSS
    13.34% (96th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUST-LIBLZMASYS-6515733
  • published 2 Apr 2024
  • disclosed 29 Mar 2024
  • credit Andres Freund

How to fix?

Upgrade liblzma-sys to version 0.3.2 or higher.

Overview

liblzma-sys is a raw bindings to liblzma which contains an implementation of LZMA and xz stream encoding/decoding.

Affected versions of this package are vulnerable to Embedded Malicious Code in the form of malicious .m4 files in the tarball distributions (which have since been taken down). These malicious build files contain build instructions not present in the upstream repository (https://git.tukaani.org/). The instructions execute a prebuilt object file from one of the tests archives during the build process of the liblzma package. The files mainly containing the obfuscated code are:

  • tests/files/bad-3-corrupt_lzma2.xz
  • tests/files/good-large_compressed.lzma

The malicious tests files were committed upstream, but due to the malicious build instructions not being present in the upstream repository, they were never called or executed.

Specifically, degradation or interruption to the performance of sshd has been observed, and that or other processes may allow unauthenticated remote code execution.

The currently known conditions to enable this backdoor are:

  • xz / liblzma is built for amd64 / x86_64 architecture.
  • Build toolchain uses glibc (for the IFUNC resolver functionality).
  • The package is built for .deb or .rpm based Linux distros.
  • Out of those distros, the payload activates if the running process is /usr/sbin/sshd and uses liblzma.

Current mitigations:

Tarballs signed by Lasse Collin are not infected, and lower versions, including 5.4.5 and 5.4.6, are confirmed to be not affected. Downgrading to a safe version is strongly recommended. If you can't downgrade, you should disable public-facing SSH servers until you can downgrade.

Disclaimer

This vulnerability is undergoing further analysis, and the advisory will be updated accordingly.

CVSS Scores

version 3.1
Expand this section

Snyk

10 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

10 critical
Expand this section

Red Hat

10 critical