On March 29th, 2024, security researcher Andres Freund discovered a backdoor in XZ Utils versions 5.6.0 and 5.6.1. Under certain conditions, this backdoor may allow remote access to the targeted system. This disclosure was posted to the Openwall mailing list. The security researcher mentions that this supply-chain attack was discovered while investigating SSH performance issues. This vulnerability is being tracked as CVE-2024-3094 has been given a CVSS score of 10.
XZ Utils is a set of free software command-line lossless data compressors, including the programs lzma and XZ, for Unix-like operating systems. It is an upstream package for almost all distributions and can be downloaded and compiled independently.
The vulnerability exists in the source tarballs of the affected XZ versions. The vulnerable versions contain malicious code that can modify functions during the liblzma (data compression library) build process.
When the liblzma library is affected by malicious code, data from other applications that use the library may also be modified or intercepted. This code may allow unauthorized access to impacted systems.
This malicious code has not been detected in the Git distribution, which lacks the M4 macro. Based on the security researcher's comments on the mailing list, this M4 macro is responsible for the backdoor build process. Post-detection of this macro is second-stage artifacts found in the Git repository are injected during the binary compilation.
Red Hat mentions that βthe resulting malicious build interferes with authentication in sshd via systemd. Under the right circumstances, this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.β
The vulnerability affects XZ Utils version 5.6.0 and 5.6.1. These versions on testing, unstable, or other bleeding edge distribution should be considered compromised.
This is a developing list of operating systems and distributions that have reported if they are affected by this vulnerability:
Operating System | Affected Versions | Comments |
---|---|---|
Red Hat | Not affected | No versions of Red Hat Enterprise Linux (RHEL) are affected. |
Fedora | Fedora 41 and Fedora Rawhide | Fedora Linux 40 is updated to xz-5.4.6-3.fc40. |
Fedora Rawhide is reverted to xz-5.4.6-3.fc41. | ||
Debian | Not affected | The Debian testing, unstable, and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1, are affected. The package has been reverted to the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1. |
Kali Linux | - | The vulnerability affected Kali between March 26th to March 29th, during which time xz-utils 5.6.0-0.2 was available. |
OpenSUSE | Tumbleweed snapshot (20240328 or later) | Tumbleweed snapshot 5.6.1.revertto5.4 is released to address the vulnerability. |
Arch Linux | Installation medium 2024.03.01 | |
Virtual machine images 20240301.218094 and 20240315.221711 | ||
Container images created between and including 2024-02-24 and 2024-03-28 | Update to the latest version, 5.6.1-2 | |
Amazon Linux | Not affected | |
Alpine | No stable branches are affected | Alpine edge-main version 5.6.1-r2 are affected. |
Ubuntu | Not affected | |
Gentoo | Not affected |
The Qualys Research team is building detections to enable customers to identify the risk posed by this vulnerability in their environment. Following are the details of this QID:
QID | Title | Release Version |
---|---|---|
379548 | Backdoored Versions of XZ Utils Detected (CVE-2024-3094) | VULNSIGS-2.6.15-6 |
710884 | Gentoo Linux XZ utils Backdoor in release tarballs Vulnerability (GLSA 202403-04) | VULNSIGS-2.6.18-2 |
379582 | XZ Utils SSH Backdoor Versions Detected for MacOS | VULNSIGS-2.6.22-2 |
SOC and Incident Responders can take the following actions to help mitigate the risk imposed by CVE-2024-3094:
<https://security.gentoo.org/glsa/202403-04>
<https://ubuntu.com/security/CVE-2024-3094>
<https://kali.org/blog/about-the-xz-backdoor/>
<https://security.alpinelinux.org/vuln/CVE-2024-3094>
<https://news.opensuse.org/2024/03/29/xz-backdoor/>
<https://archlinux.org/news/the-xz-package-has-been-backdoored/>
<https://aws.amazon.com/security/security-bulletins/AWS-2024-002/>
<https://lists.debian.org/debian-security-announce/2024/msg00057.html>
<https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users>