# CVE-2024-3094 xz Check Script

This repository contains a Bash script and a one-liner command to verify if a system is running a vulnerable version of the "xz" utility, as specified by CVE-2024-3094.

See the description and impact statement below from information available via RedHat

"_Malicious code was identified in the upstream tarballs of "xz" starting from version 5.6.0. This code involves a complex method where the build process of liblzma extracts a prebuilt object file from a disguised test file within the source code. This file is then utilized to alter specific functions within the liblzma code, leading to a compromised liblzma library. Any software linked against this modified library may intercept and alter data interactions with the library, potentially exposing systems to security risks._

_The investigation to date reveals that the impacted packages are confined to Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. No Red Hat Enterprise Linux (RHEL) versions are affected by this issue._

_The vulnerability stems from malicious injection found in xz versions 5.6.0 and 5.6.1, specifically within the tarball download package. The Git distribution does not include the M4 macro responsible for triggering the build of the malicious code. However, the Git repository does contain second-stage artifacts intended for injection during build time if the malicious M4 macro is present. Absent integration into the build, these 2nd-stage files are harmless. Demonstrations of the vulnerability revealed interference with the OpenSSH daemon, which, while not directly linked to the liblzma library, interacts with systemd in a manner that makes it susceptible to the malware, given systemd's linkage to liblzma._"

## Background Information on [About the xz backdoor - blog article](

_"The xz-utils package, starting from versions 5.6.0 to 5.6.1, was found to contain a backdoor (CVE-2024-3094). This backdoor could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized access to the entire system remotely._

_With a library this widely used, the severity of this vulnerability poses a threat to the entire Linux ecosystem. Luckily, this issue was caught quickly so the impact was significantly less than it could have been. It has already been patched in Debian, and therefore, Kali Linux._

_The impact of this vulnerability affected Kali between March 26th to March 29th, during which time xz-utils 5.6.0-0.2 was available. If you updated your Kali installation on or after March 26th, but before March 29th, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability."_

## Verification Script

The following Bash script and one-liner command can be used to check if your system is affected by CVE-2024-3094:

command -v xz &>/dev/null && xz_version=$(xz --version | head -n 1 | awk '{print $4}') && { [[ $xz_version == "5.6.0" || $xz_version == "5.6.1" ]] && echo -e "\n[*] This system seems to be VULNERABLE to CVE-2024-3094 since it has a vulnerable version of xz\n\nLearn more about this CVE on this link:\n" || echo -e " \n[*] This system DOES NOT SEEM to be vulnerable to CVE-2024-3094."; } || echo "[-] xz package is not installed."

### Verification suggested by [About the xz backdoor - blog article](

How to check manually for an affected Kali Linux version?

"apt-cache policy liblzma5"

kali@kali:~$ apt-cache policy liblzma5  
 Installed: 5.4.5-0.3  
 Candidate: 5.6.1+really5.4.5-1  
 Version table:  
    5.6.1+really5.4.5-1 500  
       500 kali-rolling/main amd64 Packages  
*** 5.4.5-0.3 100  
       100 /var/lib/dpkg/status

If we see the version "5.6.0-0.2" next to Installed: then we must upgrade to the latest version, "5.6.1+really5.4.5-1". We can do this with the following commands:

Command for addressing the issue with the vulnerable package in Kali Linux:

"sudo apt update && sudo apt install -y --only-upgrade liblzma5"