Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros
A newly discovered backdoor in XZ Utils, a data compression utility present in nearly all Linux distributions, has revived the ghosts of previous major software-supply chain security scares such as the Log4Shell vulnerability and the attack on SolarWinds.
We were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer, Andres Freund, spotted something fishy while investigating performance issues on a Debian system related to SSH.
The backdoor tracked as CVE-2024-3094, has a CVSS score of 10.0 and impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9). The backdoor is embedded in an XZ library called liblzma. « Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code, » the IBM subsidiary said in an advisory. « This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. » Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely under the right circumstances.
Nearly all Linux distributions are using XZ Utils. However, the compromised version was mainly distributed in testing versions of the distributions. The following Linux distributions are known to be affected by the issue:
- Debian testing, unstable, and experimental versions
- openSUSE Tumbleweed and openSUSE MicroOS
- Kali Linux
- Fedora Linux 40 beta & Fedora Rawhide
- Archlinux
- Alpine Edge
Analysis from our SOC team
Like all advisories provided by maintainers of major Linux distributions, we recommends upgrading XZ Utils to >5.6.1 or downgrading to an unaffected stable version <5.6.0 if not available.
While patching appliances or software to the unaffected version may provide safety from future exploitation, it does not remediate historic compromise.
The fact that someone managed to sneak a nearly undetectable backdoor into a trusted, widely used open source component and the potential havoc it could have caused – has come as a painful wakeup call on how vulnerable organizations remain to attacks via the supply chain!
A critical security flaw impacting the LayerSlider a plugin for WordPress, could be abused to extract sensitive information from the data-base. The flaw, designated as CVE-2024-2879, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as a case of SQL injection impacting versions from 7.9.11 through 7.10.0.
LayerSlider is a visual web content editor, a graphic design software, and a digital visual effects that allows users to create animations and rich content for their websites. According to its own site, the plugin is used by « millions of users worldwide.
The flaw discovered in the tool stems from a case of insufficient escaping of user supplied parameters and the absence of wpdb::prepare(), enabling unauthenticated attackers to append additional SQL queries and glean sensitive information.
The query’s structure restricts attacks to a time-based method, requiring adversaries to monitor response times to steal database information. This follows the finding of an unauthenticated stored XSS flaw (CVE-2024-1852) in the WP-Members Membership Plugin, allowing the execution of arbitrary JavaScript code, now fixed in version 3.4.9.3.
Analysis from our SOC team
The security flaw is associated with the « ls_get_popup_markup » action in versions 7.9.11 and 7.10.0 of LayerSlider (see Technical Analysis). The problem has been addressed in version 7.10.1 released on March 27, 2024. We therefore strongly recommend that you upgrade to the this version.
If you need assistance with your vulnerability management, do not hesitate to contact our SOC.
Ivanti has released security updates to address vulnerabilities in all supported versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure gateways. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.
Ivanti has released critical security updates for all supported versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure gateways. These updates address vulnerabilities that could be exploited by cyber threat actors to gain control over affected systems. The disclosed vulnerabilities include:
- CVE-2024-21894, CVE-2024-22052, and CVE-2024-22052: These relate to memory mismanagement within the IPsec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. Malicious actors could exploit these vulnerabilities to launch Denial of Service (DoS) attacks or in certain conditions execute arbitrary code.CVE-2024-22023: This vulnerability affects the SAML functionality of Ivanti Connect Secure (9.x, 22.x) and Policy Secure Gateway. Successful exploitation could temporarily exhaust resources, resulting in a limited-time DoS situation.
Analysis from our SOC team
We strongly advise all Ivanti Connect and Policy Secure users to review the following advisory and promptly apply the necessary updates.
Patch Versions:
Ivanti Connect Secure: 22.1R6.2, 22.2R4.2, 22.3R1.2, 22.4R1.2, 22.4R2.4, 22.5R1.3, 22.5R2.4, 22.6R2.3, 9.1R14.6, 9.1R15.4, 9.1R16.4, 9.1R17.4 and 9.1R18.5.
Ivanti Policy Secure: 22.4R1.2, 22.5R1.3, 22.6R1.2, 9.1R16.4, 9.1R17.4 and 9.1R18.5.
If you need assistance with your vulnerability management, do not hesitate to contact our SOC.
Synology Surveillance Station is a surveillance solution with video monitoring, management, and analysis tools.
Exploitation of recently disclosed CVE-2024-29241 could have an impact on the integrity and availability of (data on) the system. It is a vulnerability in the System webapi component in Synology Surveillance Station software before 9.2.0-9289 and 9.2.0-11289 and it allows remote authenticated users to bypass security constraints via unspecified vectors.
A missing authorization vulnerability has been discovered in the System webapi component of the affected Synology Surveillance Station software (before version 9.2.0-9289 and 9.2.0-11289). This vulnerability, identified as CVE-2024-29241, could potentially impact the integrity and availability of data within the system. Specifically, remote authenticated users have the ability to bypass security constraints through unspecified vectors.
Analysis from our SOC team
If your system is running one of the affected software versions, we highly recommend upgrading to 9.2.0-11289 or above versions.
