-
Notifications
You must be signed in to change notification settings - Fork 5
/
xz_cve-2024-3094-detect.sh
130 lines (109 loc) · 4.41 KB
/
xz_cve-2024-3094-detect.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/bash
# script to detect CVE-2024-3094
# https://nvd.nist.gov/vuln/detail/CVE-2024-3094
# https://github.com/advisories/GHSA-rxwq-x6h5-x525
# based off script:
# https://www.openwall.com/lists/oss-security/2024/03/29/4
# modified (fixed and features added) by cyclone
# https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh
# released under GPLv2 license
# https://github.com/cyclone-github/scripts/tree/main?tab=GPL-2.0-1-ov-file
# tested on:
# debian 12 amd64 (.deb)
# ubuntu 22.04 amd64 (.deb)
# fedora 39 amd64 (.rpm)
# centos 9 amd64 (.rpm)
# arch 2024.04.01 amd64 (pacman) (arch is not targeted by exploit, but tested since script was causing false positives with patched xz v5.6.1-x)
# v1.0.0; 2024-03-29
# initial release
# v1.0.1; 2024-03-29
# https://github.com/cyclone-github/scripts/issues/1
# https://github.com/cyclone-github/scripts/issues/2
# https://github.com/cyclone-github/scripts/pull/3
# v1.0.2; 2024-03-30
# https://github.com/cyclone-github/scripts/issues/4
# v1.0.3; 2024-03-31
# added support for detecting distro type (dpkg, rpm, pacman)
# https://github.com/cyclone-github/scripts/issues/6
# https://github.com/cyclone-github/scripts/issues/7
# v1.0.4; 2024-04-02
# modified Arch pacmac xz version check since (1) Arch is not targeted by exploit (2) Arch's xz versioning scheme
# https://github.com/cyclone-github/scripts/issues/9
set -eu
echo "Checking system for CVE-2024-3094 Vulnerability..."
echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"
# find path to liblzma used by sshd
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
sshd_path=$(whereis -b sshd | awk '{print $2}')
path=$(ldd "$sshd_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1)
# or find path to liblzma used by xz
# https://github.com/cyclone-github/scripts/issues/4
if [ -z "$path" ]; then
xz_path=$(whereis -b xz | awk '{print $2}')
path=$(ldd "$xz_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1)
fi
if [ -z "$path" ]; then
echo
echo "Probably not vulnerable (liblzma not found)"
exit
fi
# check for function signature
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
echo
echo "Checking for function signature in liblzma..."
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then
echo "Function signature in liblzma: VULNERABLE"
else
echo "Function signature in liblzma: OK"
fi
# check for supported distro (dpkg, rpm, pacman)
if command -v dpkg >/dev/null; then
pkg_manager="dpkg"
elif command -v rpm >/dev/null; then
pkg_manager="rpm"
elif command -v pacman >/dev/null; then
pkg_manager="pacman"
else
echo "Unsupported package manager. This script requires dpkg, rpm, or pacman."
exit 1
fi
# check xz version using package manager
# xz version checks below are not necessarily needed in addition to checks above, but are added for extra verboseness
echo
echo "Checking xz version using $pkg_manager package manager..."
case $pkg_manager in
dpkg)
xz_version=$(dpkg -s xz-utils | grep '^Version:' | awk '{print $2}')
if [ -z "$xz_version" ]; then
xz_version=$(dpkg -s xz | grep '^Version:' | awk '{print $2}')
fi
;;
rpm)
xz_version=$(rpm -q xz --qf "%{VERSION}-%{RELEASE}\n")
;;
pacman)
xz_version=$(pacman -Qi xz | grep '^Version' | awk '{print $3}')
echo "Note: Arch Linux detected"
echo "(1) CVE-2024-3094 does not target Arch Linux sshd service"
echo "(2) Manually check your installed xz version and make sure it is not vulnerable"
echo "(3) Detected xz version: $xz_version"
echo "(4) Check for most recent xz release: https://archlinux.org/packages/core/x86_64/xz/"
exit 1
;;
*)
echo "Error: Unsupported package manager."
exit 1
;;
esac
if [ -z "$xz_version" ]; then
echo "Could not determine xz version."
exit 1
fi
# check xz version for vulnerability
if [[ "$xz_version" == "5.6.0"* || ("$xz_version" == "5.6.1"* && "$xz_version" != "5.6.1+really"* && "$xz_version" != "5.6.1-2"* && "$xz_version" != "5.6.1-3"*) ]]; then
echo "xz version $xz_version: POSSIBLY VULNERABLE"
elif [[ "$xz_version" == "5.6.1+really"* || "$xz_version" == "5.6.1-2"* || "$xz_version" == "5.6.1-3"* ]]; then
echo "xz version $xz_version: PROBABLY OK (patched)"
else
echo "xz version $xz_version: PROBABLY OK"
fi