{"id":5772,"date":"2024-04-02T16:10:34","date_gmt":"2024-04-02T21:10:34","guid":{"rendered":"https:\/\/www.incredigeek.com\/home\/?p=5772"},"modified":"2024-04-13T15:46:20","modified_gmt":"2024-04-13T20:46:20","slug":"check-for-backdoored-version-of-xz-cve-2024-3094-ansible-bash","status":"publish","type":"post","link":"https:\/\/www.incredigeek.com\/home\/check-for-backdoored-version-of-xz-cve-2024-3094-ansible-bash\/","title":{"rendered":"Check for backdoored version of xz (CVE-2024-3094) (Ansible\/Bash)"},"content":{"rendered":"\n<p>Info on the xc backdoor<\/p>\n\n\n\n<p><a href=\"https:\/\/www.openwall.com\/lists\/oss-security\/2024\/03\/29\/4\">https:\/\/www.openwall.com\/lists\/oss-security\/2024\/03\/29\/4<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/tukaani.org\/xz-backdoor\/\">https:\/\/tukaani.org\/xz-backdoor\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.tenable.com\/blog\/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils\">https:\/\/www.tenable.com\/blog\/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils<\/a><\/p>\n\n\n\n<p>Kostas on Twitter posted a helpful one-liner to check the xz version without running the actual command.<\/p>\n\n\n\n<p><a href=\"https:\/\/twitter.com\/kostastsale\/status\/1773890846250926445\">https:\/\/twitter.com\/kostastsale\/status\/1773890846250926445<\/a><\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">Regarding the xz backdoored binary, see the one-liner below to check the version you have installed. <br><br>**I wouldn\u2019t suggest folks running the malicious binary with -v option\ud83e\udee0\ud83e\udee3<br><br>for xz_p in $(type -a xz | awk &#39;{print <a href=\"https:\/\/twitter.com\/search?q=%24NF&amp;src=ctag&amp;ref_src=twsrc%5Etfw\">$NF<\/a>}&#39; | uniq); do strings &quot;$xz_p&quot; | grep &quot;xz (XZ Utils)&quot; ||\u2026 <a href=\"https:\/\/t.co\/0X10jqLKPR\">https:\/\/t.co\/0X10jqLKPR<\/a><\/p>&mdash; Kostas (@Kostastsale) <a href=\"https:\/\/twitter.com\/Kostastsale\/status\/1773890846250926445?ref_src=twsrc%5Etfw\">March 30, 2024<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p>Versions 5.6.0 and 5.6.1 are backdoored.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bash one liner<\/h2>\n\n\n\n<p><em>The following Bash commands were taken and modified from the above Twitter link<\/em><\/p>\n\n\n\n<p>Here is a one liner that will check the version of xz binaries and return if they are safe or vulnerable.  You&#8217;ll need to run this in a Bash shell.  May have issues in sh.<\/p>\n\n\n\n<pre class=\"wp-block-code has-dark-gray-background-color has-background\"><code class=\"\">for xz_p in $(type -a xz | awk '{print $NF}' ); do  if ( strings \"$xz_p\" | grep \"xz (XZ Utils)\" | grep '5.6.0\\|5.6.1' ); then echo $xz_p Vulnerable; else echo $xz_p Safe ; fi ; done <\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ansible Playbooks<\/h2>\n\n\n\n<p>Here are two different Ansible Playbooks to check if the xz package(s) are backdoored.<\/p>\n\n\n\n<p>This one uses the above Bash commands to check the xz binaries.<\/p>\n\n\n\n<pre title=\"Ansible Playbook to Check xz Backdoor\" class=\"wp-block-code has-dark-gray-background-color has-background\"><code lang=\"yaml\" class=\"language-yaml line-numbers\">---\n- name: Check if XZ tools are compromised\n# https:\/\/twitter.com\/kostastsale\/status\/1773890846250926445\n  hosts: all\n\n  tasks: \n    - name: Run Bash command\n      shell : \n        for xz_p in $(type -a xz | awk '{print $NF}' ); do \n          if ( strings \"$xz_p\" | grep \"xz (XZ Utils)\" | grep '5.6.0\\|5.6.1' ); \n            then echo $xz_p Vulnerable!; \n          else \n            echo $xz_p Safe ; \n          fi ; \n        done\n      args: \n        executable: \/bin\/bash\n      register: result\n\n    - name: Show output\n      ansible.builtin.debug:\n        msg: \"{{ result.stdout_lines }}\"<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>The following playbook uses the package manager to check the xz version.  On RHEL\/Fedora this is the xc package.  On Debian\/Ubuntu, it is part of the liblzma5 package.<\/p>\n\n\n\n<pre title=\"Ansible Playbook to Check xz Backdoor using package manager\" class=\"wp-block-code has-dark-gray-background-color has-background\"><code lang=\"yaml\" class=\"language-yaml line-numbers\">---\n- name: Check if XZ tools are compromised\n  hosts: all\n\n  tasks:\n    - name: Collect package info\n      ansible.builtin.package_facts:\n        manager: auto\n\n    - name: Check if liblzma5 is vulnerable (Ubuntu\/Debian)\n      ansible.builtin.debug:\n        msg: \"Installed version of liblzma5\/xz: {{ ansible_facts.packages['liblzma5'] | map(attribute='version') | join(', ') }} Vulnerable!\"\n      when: ('liblzma5' in ansible_facts.packages) and (ansible_facts.packages['liblzma5'][0].version.split('-')[0] is version('5.6.0', '==') or ansible_facts.packages['liblzma5'][0].version.split('-')[0] is version('5.6.1', '=='))\n\n    - name: Check if xz is vulnerable (RHEL\/Fedora\/Rocky\/Alma)\n      ansible.builtin.debug:\n        msg: \"Installed version of xz: {{ ansible_facts.packages['xz'] | map(attribute='version') | join(', ') }} is vulnerable\"\n      when: ('xz' in ansible_facts.packages) and (ansible_facts.packages['xz'][0].version is version('5.6.0', '==') or ansible_facts.packages['xz'][0].version is version('5.6.1', '=='))\n\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Info on the xc backdoor https:\/\/www.openwall.com\/lists\/oss-security\/2024\/03\/29\/4 https:\/\/tukaani.org\/xz-backdoor\/ https:\/\/www.tenable.com\/blog\/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils Kostas on Twitter posted a helpful one-liner to check the xz version without running the actual command. https:\/\/twitter.com\/kostastsale\/status\/1773890846250926445 Versions 5.6.0 and 5.6.1 are backdoored. Bash one liner The following Bash commands were &hellip; <a href=\"https:\/\/www.incredigeek.com\/home\/check-for-backdoored-version-of-xz-cve-2024-3094-ansible-bash\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1646,3,1661,573],"tags":[1193,1670,1671,1667,1668,7,1200,1669],"class_list":["post-5772","post","type-post","status-publish","format-standard","hentry","category-ansible","category-linux","category-playbooks","category-security","tag-ansible","tag-backdoor","tag-backdoored","tag-cve","tag-cve-2024-3094","tag-linux-2","tag-playbook","tag-xz"],"_links":{"self":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5772","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/comments?post=5772"}],"version-history":[{"count":6,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5772\/revisions"}],"predecessor-version":[{"id":5799,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5772\/revisions\/5799"}],"wp:attachment":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/media?parent=5772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/categories?post=5772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/tags?post=5772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}