XZ Utils SSHd Backdoor

XZ Utils and Libs
Technical Details of CVE-2024-3094

On March 29th, 2024, security researcher Andres Freund discovered a backdoor in XZ Utils versions 5.6.0 and 5.6.1. Under certain conditions, this backdoor may allow remote access to the targeted system. This disclosure was posted to the Openwall mailing list. The security researcher mentions that this supply-chain attack was discovered while investigating SSH performance issues. This vulnerability is being tracked as CVE-2024-3094 has been given a CVSS score of 10.

XZ Utils and Libs

XZ Utils is a set of free software command-line lossless data compressors, including the programs lzma and XZ, for Unix-like operating systems. It is an upstream package for almost all distributions and can be downloaded and compiled independently.

Technical Details of CVE-2024-3094

The vulnerability exists in the source tarballs of the affected XZ versions. The vulnerable versions contain malicious code that can modify functions during the liblzma (data compression library) build process.

When the liblzma library is affected by malicious code, data from other applications that use the library may also be modified or intercepted. This code may allow unauthorized access to impacted systems.

This malicious code has not been detected in the Git distribution, which lacks the M4 macro. Based on the security researcher’s comments on the mailing list, this M4 macro is responsible for the backdoor build process. Post-detection of this macro is second-stage artifacts found in the Git repository are injected during the binary compilation.

Impact of this Malicious Code

Red Hat mentions that “the resulting malicious build interferes with authentication in sshd via systemd. Under the right circumstances, this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.”

Affected Versions

The vulnerability affects XZ Utils version 5.6.0 and 5.6.1. These versions on testing, unstable, or other bleeding edge distribution should be considered compromised.

Affected Distributions

This is a developing list of operating systems and distributions that have reported if they are affected by this vulnerability:

Operating System	Affected Versions	Comments
Red Hat	Not affected	No versions of Red Hat Enterprise Linux (RHEL) are affected.
Fedora	Fedora 41 and Fedora Rawhide	Fedora Linux 40 is updated to xz-5.4.6-3.fc40. Fedora Rawhide is reverted to xz-5.4.6-3.fc41.
Debian	Not affected	The Debian testing, unstable, and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1, are affected. The package has been reverted to the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1.
Kali Linux	–	The vulnerability affected Kali between March 26th to March 29th, during which time xz-utils 5.6.0-0.2 was available.
OpenSUSE	Tumbleweed snapshot (20240328 or later)	Tumbleweed snapshot 5.6.1.revertto5.4 is released to address the vulnerability.
Arch Linux	Installation medium 2024.03.01 Virtual machine images 20240301.218094 and 20240315.221711 Container images created between and including 2024-02-24 and 2024-03-28	Update to the latest version, 5.6.1-2
Amazon Linux	Not affected
Alpine	No stable branches are affected	Alpine edge-main version 5.6.1-r2 are affected.
Ubuntu	Not affected
Gentoo	Not affected

Qualys QID Coverage

The Qualys Research team is building detections to enable customers to identify the risk posed by this vulnerability in their environment. Following are the details of this QID:

QID	Title	Release Version
379548	Backdoored Versions of XZ Utils Detected (CVE-2024-3094)	VULNSIGS-2.6.15-6
710884	Gentoo Linux XZ utils Backdoor in release tarballs Vulnerability (GLSA 202403-04)	VULNSIGS-2.6.18-2
379582	XZ Utils SSH Backdoor Versions Detected for MacOS	VULNSIGS-2.6.22-2