If you find this script useful and it has helped you safeguard your systems against CVE-2024-3094, please consider giving it a star ⭐ . Starring this repository not only shows your support but also helps more people discover and benefit from our collective effort to improve cybersecurity.
To star the repository, simply click the "Star" button at the top of this page. Your support is greatly appreciated!
Thank you for helping make the digital world a safer place!
CVE-2024-3094 is a critical security vulnerability discovered in the upstream tarballs of the xz utility, starting with version 5.6.0. This vulnerability involves malicious code that, through complex obfuscations, manipulates the build process of liblzma.
During the build, a prebuilt object file is extracted from a disguised test file within the source code. This file then modifies specific functions in the liblzma code, resulting in a compromised liblzma library. Any software linked against this modified library could intercept and alter data interactions, posing significant security risks
This is the most critical and the recommended mitigation strategy. Update your XZ Utils package to the patched version released by your Linux distribution provider. These updates address the vulnerability and eliminate the backdoor code.
This project contains a simple shell script designed to help users identify and fix installations of xz-utils affected by the CVE-2024-3094 vulnerability. Versions 5.6.0 and 5.6.1 of xz-utils are known to be vulnerable, and this script aids in detecting them and optionally downgrading to a stable, uncompromised version (5.4.6).
Manually running shell scripts on a large number of servers is time-consuming and prone to human error. This script is created additionally to leverage Ansible's automation capabilities for a more efficient, reliable, and scalable approach to identifying and mitigating the CVE-2024-3094 vulnerability.
Read more about the Ansible Playbook script here
CVE-2024-3094 is a critical security vulnerability found in specific versions of xz-utils, a widely used compression tool. This script automates the process of checking your system for the vulnerable versions and provides a prompt to download and install a secure version if necessary.
- Have enhanced security by querying the installed
xzversion using the system's package manager, avoiding the execution of a potentially vulnerable binary.
- The script attempts to upgrade
xzto the latest available version through the system's package manager before considering downgrading to a safe version. This keeps systems up-to-date with recentxzreleases, resorting to the specified stable version only when an upgrade isn't possible.
- Added functionality to detect the operating system and determine the appropriate package manager. Now supports
apt-getfor Debian-based distributions (including Kali Linux),dnforyumfor Red Hat-based distributions (including CentOS, Fedora, and Rocky Linux), andzypperfor OpenSUSE.
- Updated the URL to source the stable version of
xzfrom SourceForge, providing a more direct and reliable source for the download.
- Maintained the compile and install approach but structured the script to integrate better with future enhancements that could leverage native package management for installation where possible.
- Added a prompt to reboot the system after successful installation of the stable
xzversion, ensuring that any changes are properly applied system-wide.
- Enhanced messaging throughout the script provides clear feedback to the user about each step's success or failure, including instructions for manual intervention if needed.
Before running this script, ensure your system has the following:
wgetorcurlfor downloading the source code of xz-utils.- Compilation tools (
gcc,make) for building xz-utils from source. sudoprivileges to install the newly compiled version of xz-utils.
-
Download the Script
First, clone this repository or download the script directly using wget or curl.
-
Make the Script Executable Change the permission of the script file to make it executable.
chmod +x CVE-2024-3094.sh -
Run the Script Execute the script. It will automatically detect your system's xz-utils version and guide you through the process of fixing the vulnerability.
./CVE-2024-3094.sh`Follow the on-screen prompts to complete the process.
If you prefer to manually address the vulnerability or if the script encounters any issues, follow the steps outlined in the script's comments to download, compile, and install a safe version of xz-utils.
I welcome contributions from everyone who is interested in helping to improve this project! Whether it's fixing bugs, adding new features, improving documentation, or spreading the word, your help is appreciated.
Here are some ways you can contribute:
- Reporting bugs: If you find a bug, please report it by opening a new issue on GitHub.
- Suggesting enhancements: Have an idea to make this project better? Share it with us by opening a new issue for discussion.
- Submitting changes: Want to submit a fix or a feature? Great! Fork the repository, make your changes, and submit a pull request.
- Fork the repository: Click the 'Fork' button at the top right of this page to create your copy of the repository.
- Clone your fork:
- Create your feature branch:
- Make your changes: Implement the changes or improvements you propose.
- Commit your changes:
- Push to the branch:
- Submit a pull request: Go to your fork on GitHub and click the 'Pull Request' button to send your changes review.
Please follow these guidelines to make the contribution process smooth and efficient:
- License: Contributed code must be licensed under the same terms as the existing project.
Thank you for your interest in contributing to our project! Together, we can make a significant impact.
This script is provided "as is", without warranty of any kind. Use it at your own risk. Always backup your data before making system changes.