⌘

Malicious code in xz/liblzma 😱

CVE-2024-3094
hahwul

λ°”λ‘œ μ–΄μ œ μ••μΆ• 처리λ₯Ό xz νŒ¨ν‚€μ§€μ˜ upstream tarballsμ—μ„œ μ•…μ˜μ μΈ λ™μž‘μ΄ ν™•μΈλ˜μ–΄ μ΄μŠˆμž…λ‹ˆλ‹€. 결둠은 xz λ‚΄ Malicious codeκ°€ μ‚½μž…λ˜μ—ˆκ³  이둜 인해 λ§Žμ€ μ‹œμŠ€ν…œμ΄ 영ν–₯받을 κ²ƒμœΌλ‘œ λ³΄μž…λ‹ˆλ‹€. CVE-2024-3093λ₯Ό 할당받은 이 μ΄μŠˆμ— λŒ€ν•΄ μ΄μ•ΌκΈ°ν•΄λ³ΌκΉŒ ν•©λ‹ˆλ‹€.

Xz

xzλŠ” μ••μΆ• λ„κ΅¬λ‘œ LZMA2λ₯Ό μ‚¬μš©ν•˜λ©° μ••μΆ• 효율이 ꡉμž₯히 쒋은 λ„κ΅¬μ΄μž λΌμ΄λΈŒλŸ¬λ¦¬μž…λ‹ˆλ‹€. λŒ€λ‹€μˆ˜ λ¦¬λˆ…μŠ€ λ°°ν¬νŒμ— 기본적으둜 μ‚¬μš©λ©λ‹ˆλ‹€.

xz --help
Usage: xz [OPTION]... [FILE]...
Compress or decompress FILEs in the .xz format.

  -z, --compress      force compression
  -d, --decompress    force decompression
  -t, --test          test compressed file integrity
  -l, --list          list information about .xz files
  -k, --keep          keep (don't delete) input files
  -f, --force         force overwrite of output file and (de)compress links
  -c, --stdout        write to standard output and don't delete input files
  ...

Malicious Code

xzλŠ” automakeλ₯Ό ν†΅ν•œ λΉŒλ“œ κ³Όμ •μ—μ„œ build-to-host.m4λ₯Ό μ‚¬μš©ν•˜λŠ”λ° github 버전과 tarballs 버전이 μƒμ΄ν•˜λ‹€κ³  ν•©λ‹ˆλ‹€. μ•…μ„±μ½”λ“œκ°€ μ‚½μž…λ¬λ‹€κ³  νŒλ‹¨λ˜λŠ” tarballs 버전 기쀀에선 build-to-host.m4κ°€ μ‹€ν–‰ν•˜λŠ” μŠ€ν¬λ¦½νŠΈκ°€ μ•…μ˜μ μΈ ν…ŒμŠ€νŠΈ μ½”λ“œ 데이터λ₯Ό λ°›κ³ , 이λ₯Ό μ΄μš©ν•˜μ—¬ μ•…μ„± μ½”λ“œλ₯Ό μ‹€ν–‰ν•©λ‹ˆλ‹€.

  • tests/files/bad-3-corrupt_lzma2.xz
  • tests/files/good-large_compressed.lzma

μ•…μ„±μ½”λ“œλŠ” amd64 ν™˜κ²½μ„ νƒ€κ²ŸνŒ…ν•΄μ„œ λ™μž‘ν•˜λŠ” κ²ƒμœΌλ‘œ 보이고 sshd에 영ν–₯을 쀄 수 μžˆμŠ΅λ‹ˆλ‹€. ν•΄λ‹Ή μ½”λ“œκ°€ λ‘œλ“œλœλ‹€λ©΄ sshdμ—μ„œ RSA_public_decrypt ν•¨μˆ˜κ°€ κ³΅κ²©μžκ°€ μ˜λ„ν•œ κ΅¬ν˜„μœΌλ‘œ λ™μž‘ν•˜κ²Œ 되며 인증 κ³Όμ • μš°νšŒμ— μ‚¬μš©λ  수 μžˆλŠ” 것 κ°™μŠ΅λ‹ˆλ‹€.

Efforts to mitigate

Github

Github에선 ν•΄λ‹Ή Repoλ₯Ό μ ‘κ·Όν•˜μ§€ λͺ»ν•˜λ„둝 μ œν•œν–ˆμŠ΅λ‹ˆλ‹€.

λ‹€λ§Œ μ‹€μ œλ‘œ 이λ₯Ό 뢄석해야할 μ‚¬μš©μžλ“€λ„ μ ‘κ·Όν•˜μ§€ λͺ»ν•˜κ³  μžˆλŠ” μƒνƒœλΌ μ—¬λŸ¬ 의견이 λ‚˜μ˜€κΈ°λŠ” ν•œλ°, μ–΄μ¨Œλ˜ λΉ λ₯΄κ²Œ μ•…μ„±μ½”λ“œμ— λŒ€ν•œ 접근을 μ œν•œν•œ μƒνƒœμž…λ‹ˆλ‹€. κ·ΈλŸ¬λ‚˜ Github을 미러링 ν•˜λŠ” μ„œλΉ„μŠ€λ“€μ„ μ΄μš©ν•˜λ©΄ μ°Ύμ•„λ³Ό 수 μžˆμŠ΅λ‹ˆλ‹€ :D

Homebrew

일단 Homebrew 츑에선 영ν–₯λ°›λ˜ 5.6μ—μ„œ 5.4.6으둜 κ°•μ œ λ‹€μš΄ κ·Έλ ˆμ΄λ“œλ˜λ„λ‘ λ³€κ²½λœ μƒνƒœμž…λ‹ˆλ‹€. Homebrew team의 경우 MacOS에선 영ν–₯이 없을 κ²ƒμœΌλ‘œ 보고 μžˆκΈ΄ν•œλ°, ν™•μ‹€μΉœ μ•Šμ•„ λ‹€μš΄ κ·Έλ ˆμ΄λ“œλ₯Ό μ§€μ›ν•˜κ³  λͺ¨λ‹ˆν„°λ§ν•˜κ³  μžˆλŠ” μƒνƒœμž…λ‹ˆλ‹€. 5.4.6이 μ•ˆμ „ν• μ§€ ν™•μ‹€ν•˜μ§€λŠ” μ•Šμ§€λ§Œ, μš°μ„ μ€ 5.6 μ‚¬μš©μžμ˜€λ‹€λ©΄ λ‚΄λ €κ°€λŠ”κ²Œ 쒋을 것 κ°™μŠ΅λ‹ˆλ‹€.

Homebrew/homebrew-core#167512

μ΄μŠˆμ™€ κ΄€λ ¨λœ 이야기 흐름듀인데, μ½μ–΄λ³΄μ‹œλ©΄ 쒋을 것 κ°™μ•„μ„œ λ”°λ‘œ λͺ¨μ•„λ‘‘λ‹ˆλ‹€.

Analysis in a single page

https://twitter.com/fr0gger_/status/1774342248437813525 https://twitter.com/fr0gger_/status/1774342248437813525

References

#security