Linux - Security - Detect and Mitigate CVE-2024-3094

What the CVE-2024-3094 detection and mitigation Worklet does

This Automox Worklet™ scans Linux endpoints for the xz or xz-utils package and checks if the installed version contains the CVE-2024-3094 backdoor. This critical vulnerability was discovered in March 2024 when malicious code was found in xz versions 5.6.0 and 5.6.1, inserted through an advanced supply chain attack.

The backdoor specifically targets SSH authentication on systems where sshd is linked against liblzma. When detected, the Worklet automatically downgrades the xz package to a safe version using the appropriate package manager for the distribution.

The Worklet executes downgrade commands based on the detected package manager: dnf downgrade for Fedora and newer RHEL systems, yum downgrade for CentOS and older RHEL systems, apt-get install with a specific safe version for Debian and Ubuntu, or zypper install with force for openSUSE systems.

Why respond quickly to CVE-2024-3094

CVE-2024-3094 represents one of the most serious supply chain attacks in Linux history because malicious code was inserted directly into a widely-trusted compression library. When xz versions 5.6.0 or 5.6.1 are installed on systems where sshd links against liblzma, attackers can bypass SSH authentication and gain unauthorized remote access. The backdoor was carefully obfuscated to evade detection during code reviews, making automated scanning essential for identifying compromised endpoints before attackers exploit them.

The backdoor was carefully hidden and designed to evade detection, making automated scanning essential. Manual checking across a fleet of endpoints is time-consuming and error-prone. This Worklet provides consistent, automated verification and remediation.

While most stable versions of RedHat, CentOS, and Ubuntu were not affected, testing versions of Debian, Fedora, Alpine, openSUSE, and Arch Linux shipped vulnerable packages. The Worklet works on all Linux systems regardless of whether they were specifically affected.

How xz vulnerability detection and remediation works

1. Evaluation phase: Identifies the package manager, locates the xz binary, and extracts its version. If the version matches 5.6.0 or 5.6.1, the endpoint is flagged as vulnerable and remediation is scheduled. Endpoints without xz installed or with other versions exit as compliant.

2. Remediation phase: Detects the package name using rpm, dpkg, or zypper, then downgrades the package using the appropriate command: dnf downgrade, yum downgrade, apt-get install with a specific version, or zypper install with force. Verifies the downgrade succeeded by rechecking the version.

CVE-2024-3094 remediation requirements

• Linux endpoints with xz or xz-utils installed

• Supported package managers: dnf, yum, apt, zypper

• Internet access or local repository with previous xz versions available

• Root privileges for the Automox agent

• Compatible with workstations and servers

Expected security state after xz downgrade

After remediation, the xz package version will be below 5.6.0. The SSH backdoor is no longer present on the endpoint.

Verification: Run xz --version on the endpoint. The output should show a version like 5.4.x or earlier, confirming the vulnerable versions 5.6.0 and 5.6.1 are no longer installed. Check SSH functionality by establishing a test connection to verify normal authentication works without backdoor interference. Monitor for official patches from your distribution vendor and apply them through normal patch management processes when available.

How to validate detect and mitigate cve-2024-3094 changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for detect and mitigate cve-2024-3094.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as get_package_manager, exit, else.

4. Validate remediation effects from script operations such as get_package_manager, exit, else, then rerun evaluation for compliance.