XZ Utils SSHd Backdoor

On March 29th, 2024, security researcher Andres Freund discovered a backdoor in XZ Utils versions 5.6.0 and 5.6.1. Under certain conditions, this backdoor may allow remote access to the targeted system. This disclosure was posted to the Openwall mailing list. The security researcher mentions that this supply-chain attack was discovered while investigating SSH performance issues. This vulnerability is being tracked as CVE-2024-3094 has been given a CVSS score of 10.

XZ Utils and Libs

XZ Utils is a set of free software command-line lossless data compressors, including the programs lzma and XZ, for Unix-like operating systems. It is an upstream package for almost all distributions and can be downloaded and compiled independently.

Technical Details of CVE-2024-3094

The vulnerability exists in the source tarballs of the affected XZ versions. The vulnerable versions contain malicious code that can modify functions during the liblzma (data compression library) build process.

When the liblzma library is affected by malicious code, data from other applications that use the library may also be modified or intercepted. This code may allow unauthorized access to impacted systems.

This malicious code has not been detected in the Git distribution, which lacks the M4 macro. Based on the security researcher's comments on the mailing list, this M4 macro is responsible for the backdoor build process. Post-detection of this macro is second-stage artifacts found in the Git repository are injected during the binary compilation.

Impact of this Malicious Code

Red Hat mentions that “the resulting malicious build interferes with authentication in sshd via systemd. Under the right circumstances, this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.”

Affected Versions

The vulnerability affects XZ Utils version 5.6.0 and 5.6.1. These versions on testing, unstable, or other bleeding edge distribution should be considered compromised.

Affected Distributions

This is a developing list of operating systems and distributions that have reported if they are affected by this vulnerability:

Qualys QID Coverage

The Qualys Research team is building detections to enable customers to identify the risk posed by this vulnerability in their environment. Following are the details of this QID:

Additional Information for SOC teams

SOC and Incident Responders can take the following actions to help mitigate the risk imposed by CVE-2024-3094:

1. Follow CISA advice to downgrade to an uncompromised XZ Utils version (earlier than 5.6.0).
2. Follow the guidance provided in the table above for each Linux distribution.
3. Incident response processes to hunt for suspicious activity on systems where affected versions have been installed should also be invoked.

Additional Resources

<https://security.gentoo.org/glsa/202403-04&gt;

<https://ubuntu.com/security/CVE-2024-3094&gt;

<https://kali.org/blog/about-the-xz-backdoor/&gt;

<https://security.alpinelinux.org/vuln/CVE-2024-3094&gt;

<https://news.opensuse.org/2024/03/29/xz-backdoor/&gt;

<https://archlinux.org/news/the-xz-package-has-been-backdoored/&gt;

<https://aws.amazon.com/security/security-bulletins/AWS-2024-002/&gt;

<https://lists.debian.org/debian-security-announce/2024/msg00057.html&gt;

<https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users&gt;