#!/bin/bash # script to detect CVE-2024-3094 # https://nvd.nist.gov/vuln/detail/CVE-2024-3094 # https://github.com/advisories/GHSA-rxwq-x6h5-x525 # based off script: # https://www.openwall.com/lists/oss-security/2024/03/29/4 # modified (fixed and features added) by cyclone # https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh # released under GPLv2 license # https://github.com/cyclone-github/scripts/tree/main?tab=GPL-2.0-1-ov-file # tested on: # debian 12 amd64 (.deb) # ubuntu 22.04 amd64 (.deb) # fedora 39 amd64 (.rpm) # centos 9 amd64 (.rpm) # arch 2024.04.01 amd64 (pacman) (arch is not targeted by exploit, but tested since script was causing false positives with patched xz v5.6.1-x) # v1.0.0; 2024-03-29 # initial release # v1.0.1; 2024-03-29 # https://github.com/cyclone-github/scripts/issues/1 # https://github.com/cyclone-github/scripts/issues/2 # https://github.com/cyclone-github/scripts/pull/3 # v1.0.2; 2024-03-30 # https://github.com/cyclone-github/scripts/issues/4 # v1.0.3; 2024-03-31 # added support for detecting distro type (dpkg, rpm, pacman) # https://github.com/cyclone-github/scripts/issues/6 # https://github.com/cyclone-github/scripts/issues/7 # v1.0.4; 2024-04-02 # modified Arch pacmac xz version check since (1) Arch is not targeted by exploit (2) Arch's xz versioning scheme # https://github.com/cyclone-github/scripts/issues/9 set -eu echo "Checking system for CVE-2024-3094 Vulnerability..." echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094" # find path to liblzma used by sshd # adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4 sshd_path=$(whereis -b sshd | awk '{print $2}') path=$(ldd "$sshd_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1) # or find path to liblzma used by xz # https://github.com/cyclone-github/scripts/issues/4 if [ -z "$path" ]; then xz_path=$(whereis -b xz | awk '{print $2}') path=$(ldd "$xz_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1) fi if [ -z "$path" ]; then echo echo "Probably not vulnerable (liblzma not found)" exit fi # check for function signature # adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4 echo echo "Checking for function signature in liblzma..." if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then echo "Function signature in liblzma: VULNERABLE" else echo "Function signature in liblzma: OK" fi # check for supported distro (dpkg, rpm, pacman) if command -v dpkg >/dev/null; then pkg_manager="dpkg" elif command -v rpm >/dev/null; then pkg_manager="rpm" elif command -v pacman >/dev/null; then pkg_manager="pacman" else echo "Unsupported package manager. This script requires dpkg, rpm, or pacman." exit 1 fi # check xz version using package manager # xz version checks below are not necessarily needed in addition to checks above, but are added for extra verboseness echo echo "Checking xz version using $pkg_manager package manager..." case $pkg_manager in dpkg) xz_version=$(dpkg -s xz-utils | grep '^Version:' | awk '{print $2}') if [ -z "$xz_version" ]; then xz_version=$(dpkg -s xz | grep '^Version:' | awk '{print $2}') fi ;; rpm) xz_version=$(rpm -q xz --qf "%{VERSION}-%{RELEASE}\n") ;; pacman) xz_version=$(pacman -Qi xz | grep '^Version' | awk '{print $3}') echo "Note: Arch Linux detected" echo "(1) CVE-2024-3094 does not target Arch Linux sshd service" echo "(2) Manually check your installed xz version and make sure it is not vulnerable" echo "(3) Detected xz version: $xz_version" echo "(4) Check for most recent xz release: https://archlinux.org/packages/core/x86_64/xz/" exit 1 ;; *) echo "Error: Unsupported package manager." exit 1 ;; esac if [ -z "$xz_version" ]; then echo "Could not determine xz version." exit 1 fi # check xz version for vulnerability if [[ "$xz_version" == "5.6.0"* || ("$xz_version" == "5.6.1"* && "$xz_version" != "5.6.1+really"* && "$xz_version" != "5.6.1-2"* && "$xz_version" != "5.6.1-3"*) ]]; then echo "xz version $xz_version: POSSIBLY VULNERABLE" elif [[ "$xz_version" == "5.6.1+really"* || "$xz_version" == "5.6.1-2"* || "$xz_version" == "5.6.1-3"* ]]; then echo "xz version $xz_version: PROBABLY OK (patched)" else echo "xz version $xz_version: PROBABLY OK" fi