Cyber Threat Intelligence Briefing - April 8, 2024

This week, we dive into a new SSH xz backdoor discovered in a popular Linux distribution and how to protect your organization from an HTTP/2 CONTINUATION Flood.

CVE-2024-3094: SSH xz Backdoor

On Friday, March 29, Microsoft developer Andres Freund posted that he had discovered a backdoor in a software library called 'liblzma', part of the 'xz Utils'  package used by most Linux distributions.

Research into the backdoor revealed that successful execution of the malicious code placed in the xz Utils software manipulates sshd, the executable that makes SSH connections.

Once this is triggered, a threat actor possessing a specific encryption key could place arbitrary code in an SSH login certificate, upload it, and execute the code on the backdoored device.

The backdoor was placed into the code by a user going by JiaT75 (Jia Tan), who began contributing to the open source project starting in 2021.

Thankfully, this discovery took place before the backdoored library was rolled out to stable releases of Linux. The backdoor vulnerability is now tracked as CVE-2024-3094.

What is xz Utils?

xz Utils is a compression utility found in most Linux distributions that provides lossless data compression.

Although this library is not directly a part of OpenSSH, based on functionality of most Linux distributions such as Debian, xz Utils is linked to OpenSSH via systemd (loads services on system bootup) and sshd (the server process for OpenSSH), which then allows xz Utils to control sshd.

Microsoft threat researcher Thomas Roccia created an excellent infographic showing how this utility was abused to create the back door.

What Versions are Impacted?

The Github commits posted in February for versions 5.6.0 and 5.6.1 of xz Utils contain the backdoor. While this issue was caught relatively early, the malicious version of the software did get pushed so several "bleeding edge" Linux versions:

• Fedora Rawhide (development distribution of Fedora Linux)
• Fedora 40 Beta
• Fedora 41
• Debian testing, unstable, and experimental versions 5.5.1alpha-0.1 to 5.6.1-1
• openSUSE Tumbleweed and openSUSE MicroOS (between March 7 and March 28)
• Kali Linux (between March 26 and March 28)
• Arch Linux (installation medium 2024.03.01, virtual machine images 20240301.218094 and 20240313.221711, and container images from 2024-02-24 and 2024-03-28).

How To Tell If You Are Affected

Aside from the above list of affected Linux versions, Linux administrators can determine the version of xz Utils running on the system by using either of the following CLI commands:

• xz --verision
• strings `which xz` | egrep '\(XZ Utils\)'

This resource also tracks which versions of the utility are current for each Linux distribution. If a backdoored version is discovered on a host, it is recommended to immediately downgrade the utility to a previous stable version, such as 5.4.6.

Additional Resources

• https://www.openwall.com/lists/oss-security/2024/03/29/4
  
• https://nvd.nist.gov/vuln/detail/CVE-2024-3094
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-3094/details
  
• https://boehs.org/node/everything-i-know-about-the-xz-backdoor
  
• https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/
  
• https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
  
• https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils
  
• https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
  
• https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
  
• https://isc.sans.edu/diary/30808
  
• https://xz.fail/
  
• https://unicornriot.ninja/2024/xz-utils-software-backdoor-uncovered-in-years-long-hacking-plot/
  
• https://repology.org/project/xz/versions
  
• https://lists.debian.org/debian-security-announce/2024/msg00057.html

HTTP/2 CONTINUATION Flood

In 2015, the HTTP/2 protocol was published to help facilitate the demand for greater website performance.

The protocol includes features such as reduced overhead via header compression, multiplexing which allows multiple requests and responses with a single connection, and binary framing for more efficient data transmission. In these frames, researcher Barket Nowotarski discovered an "out of memory" vulnerability that can lead to denial of service attacks on a web server with a single HTTP/2 connection.

In HTTP/2, there are two frame types relevant to this vulnerability.

The HEADERS frame allows for the sending of both request and response headers. This frame has a maximum size that is allowed, and if the frame is larger than the maximum size, it is split into additional frames called CONTINUATION frames. Once the end of the header data is reached, the final CONTINUATION frame is meant to have an END_HEADERS flag signifying the end of the data stream.

What Barket discovered is if an HTTP/2 connection is made, and the stream sends HEADERS and CONTINUATION frames without ever sending the END_HEADERS flag, this creates an effective infinite stream of headers that eventually causes the webserver to run out of memory, as it eventually does not have the resources to parse and store all of the data sent.

The infographics below from Barket's blog do a great job of illustrating the bug:

Fig. 1 - Standard data stream where last CONTINUATION frame includes the END_HEADERS flag

Fig. 2 - Infinite stream where no CONTINUATION frames contain the END_HEADERS flag

Since this vulnerability affects HTTP/2 at the protocol level, multiple CVEs have been issued based on what platforms have implemented HTTP/2:

• CVE-2024-27983 - Node.js HTTP/2 server race condition
• CVE-2024-27919 - Envoy oghttp codec memory corruption
• CVE-2024-2758 - Tempesta FW DoS
• CVE-2024-2653 - Affects amphp/http, causes out-of-memory crash
• CVE-2023-45288 - Go net/http and net/http2 packages DoS
• CVE-2024-28182 - nghttp2 library DoS
• CVE-2024-27316 - Apache Httpd Dos
• CVE-2024-31309 - Apache Traffic Server Dos
• CVE-2024-30255 - Envoy version 1.29.2 or earlier CPU exhaustion DoS

Per CERT-CC, vendors and HTTP/2 libraries that have confirmed they are impacted by these vulnerabilities are Red Hat, SUSE Linux, Arista Networks, Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and the Go Programming Language.

Due to the ease of exploitation and the detail with which this vulnerability has been described in research, this vulnerability has a high likelihood of exploitation. Administrators are urged to immediately apply the appropriate patches based on their web server technology stack.

Additional Resources

• https://nowotarski.info/http2-continuation-flood-technical-details/
  
• https://kb.cert.org/vuls/id/421644
  
• https://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-crash-web-servers-with-a-single-connection/
  
• https://http.dev/2

Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.

If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.