.wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92, .wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92[data-kb-block=”kb-adv-heading8633_4b3a4d-92″]{padding-bottom:var(–global-kb-spacing-xs, 1rem);font-style:normal;border-bottom:1px solid var(–global-palette6, #718096);}.wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92 mark, .wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92[data-kb-block=”kb-adv-heading8633_4b3a4d-92″] mark{font-style:normal;color:#f76a0c;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}@media all and (max-width: 1024px){.wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92, .wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92[data-kb-block=”kb-adv-heading8633_4b3a4d-92″]{border-bottom:1px solid var(–global-palette6, #718096);}}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92, .wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92[data-kb-block=”kb-adv-heading8633_4b3a4d-92″]{border-bottom:1px solid var(–global-palette6, #718096);}}

影响范围

xz 和 liblzma 5.6.0~5.6.1 版本，可能包括的发行版 / 包管理系统有：

• Fedora 41 / Fedora Rawhide
• Debian Sid
• Alpine Edge
• x64 架构的 homebrew
• 滚动更新的发行版，包括 Arch Linux / OpenSUSE Tumbleweed

如果您的系统使用 systemd 启动 OpenSSH 服务器，您的 SSH 认证过程可能被攻击。

非 x64 (amd64) 架构的系统不受影响。

您可以在命令行输入

xz --version

来检查 xz 版本，如果输出为 5.6.0 或 5.6.1 ，说明您的系统已被植入后门

.wp-block-kadence-advancedheading.kt-adv-heading8633_fdb7ca-d4, .wp-block-kadence-advancedheading.kt-adv-heading8633_fdb7ca-d4[data-kb-block=”kb-adv-heading8633_fdb7ca-d4″]{padding-bottom:var(–global-kb-spacing-xs, 1rem);font-style:normal;border-bottom:1px solid var(–global-palette6, #718096);}.wp-block-kadence-advancedheading.kt-adv-heading8633_fdb7ca-d4 mark, .wp-block-kadence-advancedheading.kt-adv-heading8633_fdb7ca-d4[data-kb-block=”kb-adv-heading8633_fdb7ca-d4″] mark{font-style:normal;color:#f76a0c;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}@media all and (max-width: 1024px){.wp-block-kadence-advancedheading.kt-adv-heading8633_fdb7ca-d4, .wp-block-kadence-advancedheading.kt-adv-heading8633_fdb7ca-d4[data-kb-block=”kb-adv-heading8633_fdb7ca-d4″]{border-bottom:1px solid var(–global-palette6, #718096);}}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading8633_fdb7ca-d4, .wp-block-kadence-advancedheading.kt-adv-heading8633_fdb7ca-d4[data-kb-block=”kb-adv-heading8633_fdb7ca-d4″]{border-bottom:1px solid var(–global-palette6, #718096);}}

缓解措施

降级到 5.4.6 版本，或者更新到 5.6.4 版本。

.wp-block-kadence-advancedheading.kt-adv-heading8633_d8df12-59, .wp-block-kadence-advancedheading.kt-adv-heading8633_d8df12-59[data-kb-block=”kb-adv-heading8633_d8df12-59″]{padding-bottom:var(–global-kb-spacing-xs, 1rem);font-style:normal;border-bottom:1px solid var(–global-palette6, #718096);}.wp-block-kadence-advancedheading.kt-adv-heading8633_d8df12-59 mark, .wp-block-kadence-advancedheading.kt-adv-heading8633_d8df12-59[data-kb-block=”kb-adv-heading8633_d8df12-59″] mark{font-style:normal;color:#f76a0c;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}@media all and (max-width: 1024px){.wp-block-kadence-advancedheading.kt-adv-heading8633_d8df12-59, .wp-block-kadence-advancedheading.kt-adv-heading8633_d8df12-59[data-kb-block=”kb-adv-heading8633_d8df12-59″]{border-bottom:1px solid var(–global-palette6, #718096);}}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading8633_d8df12-59, .wp-block-kadence-advancedheading.kt-adv-heading8633_d8df12-59[data-kb-block=”kb-adv-heading8633_d8df12-59″]{border-bottom:1px solid var(–global-palette6, #718096);}}

技术细节

攻击者污染了上游 Git 仓库的 build-to-host.m4 构建脚本和测试用例，在编译期间向 liblzma 注入攻击代码。

部分发行版的 OpenSSH Server 链接到 libsystemd ，而 libsystemd 依赖 liblzma 。因此您的 sshd 会执行被植入后门的代码。

该后门首先在 sshd 启动时替换 crc32_resolve() 和 crc64_resolve，然后试图从内存中解析符号表，并查找 RSA_public_decrypt@....plt 符号，并将其指向的地址替换为后门代码。

在 SSH 登录认证时，sshd 会调用该符号，并在服务器上执行攻击代码。但是其具体行为尚未被观测。

.wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92, .wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92[data-kb-block=”kb-adv-heading8633_4b3a4d-92″]{padding-bottom:var(–global-kb-spacing-xs, 1rem);font-style:normal;border-bottom:1px solid var(–global-palette6, #718096);}.wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92 mark, .wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92[data-kb-block=”kb-adv-heading8633_4b3a4d-92″] mark{font-style:normal;color:#f76a0c;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}@media all and (max-width: 1024px){.wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92, .wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92[data-kb-block=”kb-adv-heading8633_4b3a4d-92″]{border-bottom:1px solid var(–global-palette6, #718096);}}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92, .wp-block-kadence-advancedheading.kt-adv-heading8633_4b3a4d-92[data-kb-block=”kb-adv-heading8633_4b3a4d-92″]{border-bottom:1px solid var(–global-palette6, #718096);}}

相关链接

• liblzma and xz version 5.6.0 and 5.6.1 are vulnerable to arbitrary code execution compromise
• 此漏洞的 CVE 编号：CVE-2024-3094
• RedHat 发布的安全通告
• OpenWall 上的技术细节