Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CISA advisory. Show all posts

Critical Security Alert Released After Malicious Code Found in XZ Utils

 

On Friday, Red Hat issued a high-priority security alert regarding a discovery related to two versions of a widely-used data compression library called XZ Utils (formerly known as LZMA Utils). It was found that these specific versions of the library contained malicious code intentionally inserted by unauthorized parties. 

This code was designed with the malicious intent of allowing remote access to systems without authorization. This unauthorized access can lead to serious security threats to individuals and organizations utilizing these compromised versions of the library, potentially leading to data breaches or other malicious activities. 

The discovery and reporting of the issue have been attributed to Microsoft security researcher Andres Freund. It was revealed that the malicious code, which was heavily obfuscated, was introduced through a sequence of four commits made to the Tukaani Project on GitHub. These commits were attributed to a user named Jia Tan (JiaT75). 

What XZ Utils Used For? 

XZ is a compression tool and library widely utilized on Unix-like systems such as Linux. It is renowned for its ability to significantly reduce file sizes while maintaining fast decompression speeds. This compression is achieved through the implementation of the LZMA (Lempel-Ziv-Markov chain algorithm) compression algorithm, which is well-regarded for its efficient compression ratios. 

Let’s Understand the Severity of the Attack 

The breach has garnered a critical CVSS score of 10.0, indicating the most severe level of threat. This vulnerability has been found to impact XZ Utils versions 5.6.0 and 5.6.1, which were released on February 24 and March 9, respectively. 

The Common Vulnerability Scoring System (CVSS) is a widely used tool in the cybersecurity sector, offering a standardized approach to evaluate the gravity of security vulnerabilities found in computer systems. Its main objective is to aid cybersecurity experts in prioritizing the resolution of these vulnerabilities based on their urgency. 

"Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code," an IBM subsidiary reported. 

Additionally, Red Hat clarified that while no versions of Red Hat Enterprise Linux (RHEL) are affected by this security flaw, evidence indicates successful injections within xz 5.6.x versions designed for Debian unstable (Sid). It is also noted that other Linux distributions may potentially be impacted by this vulnerability. 

In response to the security breach, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken action by issuing its own alert.  "CISA and the open source community are responding to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. This activity was assigned CVE-2024-3094. XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems".  

CISA is advising users to downgrade their XZ Utils installations to a version unaffected by the compromise. Specifically, they recommend reverting to an uncompromised version such as XZ Utils 5.4.6 Stable.

Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected

 

Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept (PoC). As of Thursday afternoon, there was no evidence of active exploitation.

Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code. However, they suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals (only 50) and the majority being patched.

The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software’s administration portal. This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations. Fortra responded by releasing a patch on January 22, urging immediate action from security teams. The company had notified customers on December 4 and released the patch on December 7.

Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.

Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has not included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. CISA defines "active exploitation" based on real-time success demonstrated by threat actors in the wild.

Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data. Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly. Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.

Callie Guenther, senior manager of cyber threat research at Critical Start, highlighted the relative ease of exploiting the Fortra GoAnywhere MFT vulnerability, described as a "1998 style" path traversal flaw. With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw. While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the catalog.