Embedded Malicious Code Affecting liblzma-sys package, versions <0.3.2


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
12.91% (96th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-LIBLZMASYS-6515733
  • published2 Apr 2024
  • disclosed29 Mar 2024
  • creditAndres Freund

Introduced: 29 Mar 2024

Malicious CVE-2024-3094  (opens in a new tab)
CWE-506  (opens in a new tab)

How to fix?

Upgrade liblzma-sys to version 0.3.2 or higher.

Overview

liblzma-sys is a raw bindings to liblzma which contains an implementation of LZMA and xz stream encoding/decoding.

Affected versions of this package are vulnerable to Embedded Malicious Code in the form of malicious .m4 files in the tarball distributions (which have since been taken down). These malicious build files contain build instructions not present in the upstream repository (https://git.tukaani.org/). The instructions execute a prebuilt object file from one of the tests archives during the build process of the liblzma package. The files mainly containing the obfuscated code are:

  • tests/files/bad-3-corrupt_lzma2.xz
  • tests/files/good-large_compressed.lzma

The malicious tests files were committed upstream, but due to the malicious build instructions not being present in the upstream repository, they were never called or executed.

Specifically, degradation or interruption to the performance of sshd has been observed, and that or other processes may allow unauthenticated remote code execution.

The currently known conditions to enable this backdoor are:

  • xz / liblzma is built for amd64 / x86_64 architecture.
  • Build toolchain uses glibc (for the IFUNC resolver functionality).
  • The package is built for .deb or .rpm based Linux distros.
  • Out of those distros, the payload activates if the running process is /usr/sbin/sshd and uses liblzma.

Current mitigations:

Tarballs signed by Lasse Collin are not infected, and lower versions, including 5.4.5 and 5.4.6, are confirmed to be not affected. Downgrading to a safe version is strongly recommended. If you can't downgrade, you should disable public-facing SSH servers until you can downgrade.

Disclaimer

This vulnerability is undergoing further analysis, and the advisory will be updated accordingly.

CVSS Scores

version 3.1