TPS-2024-001 SmartOS / Triton not affected by CVE-2024-3094

Overview

Recently a back door was discovered in the xz-utils software. This appears to have been introduced by a malicious party with ownership access to the repository. The back door targets Linux systems running OpenSSH and systemd when xz is at version 5.6.0 or 5.6.1.

At the current time we have high confidence that the back door does not work on SmartOS. Linux binaries running in lx-brand zones may still be affected.

The back door introduces a binary payload that affects ssh logins. While a full analysis of the payload is still pending, it appears to be a Linux specific binary. Additionally, the malicious code is only included when the build system is Linux, and so is not present in any SmartOS or macOS build of xz-utils.

Affected versions of xz are only available through pkgsrc trunk. The SmartOS platform image ships xz-5.2.1 and all non-trunk zone images (e.g., base-64-lts) ship with a version of xz prior to the introduction of the malicious code. If you are using pkgsrc-tools for the SmartOS global-zone, or pkgsrc for macOS, there were builds available for xz-5.6.0 and xz-5.6.1. Because these builds were not produced on Linux nor compiled for Linux, the binaries do not contain malicious code.

The issue was orignally reported to the oss-security and has been assigned CVE-2024-3094.

Actions Taken by Us

While the malicous code is not present in any build of xz-utils for SmartOS or macOS, we are revoking the xz-5.6.0 and xz-5.6.1 packages and replacing it with xz-5.4.6. The replacement downgrade builds are in progress and will be available soon.

Actions You Need to Take

SmartOS and macOS users

For SmartOS global-zone (pkgsrc-tools-trunk), SmartOS zone instance trunk (minimal-64-trunk, base-64-trunk, pkgbuild-trunk), or macOS users no action is necessary. However, for security compliance or simply for peace of mind, you may opt to downgrade the xz package.

While there is currently no evidence that there is any vulnerability on SmartOS or macOS, and we have a high conficence that they are unaffected anyway, we still recommend downgrading your xz package.

To check if a build is available, run the following command:

pkgin search xz

Once a build is available, run the following command to install it.

pkgin -y install xz-5.4.6

Linux Users (lx-brand, KVM, bhyve)

Contact your distribution vendor or see their security report for this issue and follow their recomendation.

Support

If you are a MNX customer and have any further questions or concerns after reading the information provided above, please contact MNX Support.

If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.

References

• CVE-2024-3094
• https://www.openwall.com/lists/oss-security/2024/03/29/4