Unveiling the XZ Utils Supply Chain Attack: Binarly’s Advanced Detection Solution

Binarly, a firm specializing in firmware security, has launched a complimentary online scanner designed to identify Linux executables affected by the XZ Utils supply chain attack, designated as CVE-2024–3094.

CVE-2024–3094 signifies a supply chain breach within XZ Utils, a suite of data compression utilities and libraries extensively utilized in numerous prominent Linux distributions.

In a recent development, Andres Freud, an engineer at Microsoft, unearthed a clandestine entry point within the most recent iteration of the XZ Utils package while investigating sluggish SSH logins on Debian Sid, a continuously evolving version of the Linux distribution.

The clandestine access point was introduced by an unidentified contributor to XZ version 5.6.0, persisting through version 5.6.1. However, the impact was primarily felt by a limited number of Linux distributions and versions adhering to an avant-garde updating approach, while the majority remained unaffected by utilizing earlier, secure library versions.

Subsequent to the discovery of the covert entry, initiatives were initiated for detection and rectification, with CISA advocating for the rollback of XZ Utils 5.4.6 Stable and urging vigilance in identifying and reporting any malicious activities.

Binarly has critiqued the prevailing approach in threat mitigation, highlighting its reliance on rudimentary checks such as byte string matching, file hash blocklisting, and YARA rules, which may lead to false positives.

This methodology can exacerbate alert fatigue and fails to address the detection of analogous backdoors in other projects.
To tackle this challenge, Binarly has developed a specialized scanner capable of identifying the specific library and any files harboring identical backdoors.

Binarly’s detection technique employs static analysis of binaries to discern alterations in transitions within GNU Indirect Function (IFUNC).

More precisely, the scanner scrutinizes transitions flagged as suspicious during the incorporation of malicious IFUNC resolvers. The IFUNC attribute of the GCC compiler enables developers to generate multiple versions of the same function, subsequently selected at runtime based on diverse criteria, such as processor type.

Binarly elaborated on the core technique exploited by the XZ backdoor, which utilizes the GNU Indirect Function (IFUNC) attribute of the GCC compiler to manipulate indirect function calls at runtime.

The implanted backdoor initially intercepts or hooks execution, modifying IFUNC calls to substitute a legitimate check, “is_arch_extension_supported,” with a call to “_get_cpuid,” which is provided by the payload object file and invokes a malformed “_get_cpuid()” integrated into the code.

This mechanism facilitates the exploitation of the backdoor by altering IFUNC calls to intercept or hook execution, resulting in the insertion of malicious code.

Binarly’s scanner enhances detection capabilities by scanning various supply chain points beyond the XZ Utils project, yielding results with significantly higher confidence levels.

According to Alex Matrosov, Binarly’s lead security researcher and CEO, the detection mechanism is rooted in behavioral analysis and possesses the ability to automatically identify any variants if a similar backdoor is identified elsewhere.

Matrosov further assured that the scanner maintains its efficacy even following recompilation or alterations in code.

The backdoor scanner is readily accessible online at xz.fail, enabling users to upload binary files for unlimited free assessments.

Happy Hunting!

— j1nx