XZ Utils SSHd Backdoor

Diksha Ojha

Last updated on: April 11, 2024

On March 29th, 2024, security researcher Andres Freund discovered a backdoor in XZ Utils versions 5.6.0 and 5.6.1. Under certain conditions, this backdoor may allow remote access to the targeted system. This disclosure was posted to the Openwall mailing list. The security researcher mentions that this supply-chain attack was discovered while investigating SSH performance issues. This vulnerability is being tracked as CVE-2024-3094 has been given a CVSS score of 10.

XZ Utils and Libs

XZ Utils is a set of free software command-line lossless data compressors, including the programs lzma and XZ, for Unix-like operating systems. It is an upstream package for almost all distributions and can be downloaded and compiled independently.

Technical Details of CVE-2024-3094

The vulnerability exists in the source tarballs of the affected XZ versions. The vulnerable versions contain malicious code that can modify functions during the liblzma (data compression library) build process.

When the liblzma library is affected by malicious code, data from other applications that use the library may also be modified or intercepted. This code may allow unauthorized access to impacted systems.

This malicious code has not been detected in the Git distribution, which lacks the M4 macro. Based on the security researcher’s comments on the mailing list, this M4 macro is responsible for the backdoor build process. Post-detection of this macro is second-stage artifacts found in the Git repository are injected during the binary compilation.

Impact of this Malicious Code

Red Hat mentions that “the resulting malicious build interferes with authentication in sshd via systemd.  Under the right circumstances, this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.” 

Affected Versions

The vulnerability affects XZ Utils version 5.6.0 and 5.6.1. These versions on testing, unstable, or other bleeding edge distribution should be considered compromised.

Affected Distributions

This is a developing list of operating systems and distributions that have reported if they are affected by this vulnerability:

Operating SystemAffected VersionsComments
Red HatNot affectedNo versions of Red Hat Enterprise Linux (RHEL) are affected.
FedoraFedora 41 and Fedora RawhideFedora Linux 40 is updated to xz-5.4.6-3.fc40.
Fedora Rawhide is reverted to xz-5.4.6-3.fc41. 
DebianNot affectedThe Debian testing, unstable, and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1, are affected. The package has been reverted to the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1.
Kali LinuxThe vulnerability affected Kali between March 26th to March 29th, during which time xz-utils 5.6.0-0.2 was available.
OpenSUSETumbleweed snapshot (20240328 or later)Tumbleweed snapshot 5.6.1.revertto5.4 is released to address the vulnerability.
Arch LinuxInstallation medium 2024.03.01
Virtual machine images 20240301.218094 and 20240315.221711
Container images created between and including 2024-02-24 and 2024-03-28
Update to the latest version, 5.6.1-2
Amazon LinuxNot affected
AlpineNo stable branches are affectedAlpine edge-main version 5.6.1-r2 are affected.
UbuntuNot affected
GentooNot affected

Qualys QID Coverage

The Qualys Research team is building detections to enable customers to identify the risk posed by this vulnerability in their environment. Following are the details of this QID:

QIDTitleRelease Version
379548Backdoored Versions of XZ Utils Detected (CVE-2024-3094)VULNSIGS-2.6.15-6
710884Gentoo Linux XZ utils Backdoor in release tarballs Vulnerability (GLSA 202403-04)VULNSIGS-2.6.18-2
379582XZ Utils SSH Backdoor Versions Detected for MacOSVULNSIGS-2.6.22-2

Additional Information for SOC teams

SOC and Incident Responders can take the following actions to help mitigate the risk imposed by CVE-2024-3094:

  1. Follow CISA advice to downgrade to an uncompromised XZ Utils version (earlier than 5.6.0).
  1. Follow the guidance provided in the table above for each Linux distribution.
  1. Incident response processes to hunt for suspicious activity on systems where affected versions have been installed should also be invoked.

Additional Resources










Share your Comments


Your email address will not be published. Required fields are marked *