Snyk has a published code exploit for this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade liblzma-sys
to version 0.3.2 or higher.
liblzma-sys is a raw bindings to liblzma which contains an implementation of LZMA and xz stream encoding/decoding.
Affected versions of this package are vulnerable to Embedded Malicious Code in the form of malicious .m4
files in the tarball distributions (which have since been taken down). These malicious build files contain build instructions not present in the upstream repository (https://git.tukaani.org/).
The instructions execute a prebuilt object file from one of the tests
archives during the build process of the liblzma
package. The files mainly containing the obfuscated code are:
tests/files/bad-3-corrupt_lzma2.xz
tests/files/good-large_compressed.lzma
The malicious tests
files were committed upstream, but due to the malicious build instructions not being present in the upstream repository, they were never called or executed.
Specifically, degradation or interruption to the performance of sshd
has been observed, and that or other processes may allow unauthenticated remote code execution.
The currently known conditions to enable this backdoor are:
xz
/ liblzma
is built for amd64 / x86_64 architecture.glibc
(for the IFUNC
resolver functionality)..deb
or .rpm
based Linux distros./usr/sbin/sshd
and uses liblzma
.Current mitigations:
Tarballs signed by Lasse Collin are not infected, and lower versions, including 5.4.5 and 5.4.6, are confirmed to be not affected. Downgrading to a safe version is strongly recommended. If you can't downgrade, you should disable public-facing SSH servers until you can downgrade.
Disclaimer
This vulnerability is undergoing further analysis, and the advisory will be updated accordingly.