BINARLY, a company specializing in software security, has developed a free online scanner to identify Linux files affected by attacks on the supply chain in the XZ Utils utilities, which have been designated as CVE-2024-3094.
CVE-2024-3094 represents a compromise of the supply chain in XZ Utils, a set of tools and libraries for compressing data widely used in major Linux distributions.
The malicious code was discovered in the latest version of the XZ Utils package during an investigation into performance issues in Debian Sid. The code was added by an anonymous developer to version XZ 5.6.0, but most distributions were still using the safe version. The backdoor was quickly identified before it could spread widely.
In response to the detection of the backdoor, the American agency Cisa recommended that software suppliers affected roll back to version 5.4.6 Stable of XZ Utils and inform potential victims of any malicious activity they detect.
BINARLY emphasizes that traditional methods of threat detection, like line comparisons and hash file blocking, can be prone to false positives. Their scanner uses static analysis of binary files to identify backdoors by analyzing transitions to GNU Indirect Function (IFUNC).
The malicious code alters IFUNC calls to intercept execution and insert the backdoor. This method allows initial control over code execution to be compromised.
The BINARLY scanner improves detection efficiency by scanning multiple points in the supply chain beyond just XZ Utils, providing more accurate results. The online scanner is available on the website xz.fail, enabling users to verify binary files for free without restrictions. Additionally, BINARLY offers a free API for mass inspections to simplify the detection and protection process against supply chain attacks.