A serious security vulnerability has been discovered in recent versions of the widely-used xz data compression tool and liblzma libraries. The issue, assigned CVE-2024-3094, appears to stem from malicious code being intentionally inserted into the upstream xz repositories by a bad actor.
The affected versions are xz 5.6.0 and 5.6.1 of the xz compression tool and the liblzma core compression libraries they link against. These versions contain obfuscated malicious code in the source release tarballs that are not present in the public Git repositories.
This backdoor code is designed to interfere with authentication in the OpenSSH server (sshd) on Linux systems when built with the compromised xz libraries.
How the Backdoor Works
The backdoor leverages sophisticated techniques to avoid detection and only triggers under very specific conditions. Key aspects include:
- The official upstream release tarballs distributed by xz-utils contain malicious, obfuscated code not present in the public Git repository
- Crafted test files in the Git repo act as the payload deployed by the malicious build script
- The backdoor hijacks the IFUNC mechanism in glibc to perform runtime hooking of authentication routines like OpenSSH's RSA public key decryption
-
It activates selectively based on the build toolchain, OS distribution, and
even the process name of the running executable
(/usr/sbin/sshd)
When successfully triggered on a vulnerable glibc-based Linux system, the backdoor is able to bypass authentication flows and potentially enable full remote code execution capabilities.
Impacts and Risk Factors
While still an emerging situation with many details unknown, some of the key risk factors identified so far include:
- Systems running rolling release distros like Arch Linux, and Debian Sid that automatically updated to the compromised xz 5.6.x versions
-
Installations with patched OpenSSH linked against
systemd
andliblzma
from the backdoored library - Publicly accessible sshd servers exposed to the internet, where the bypass is confirmed to work
- Potentially other yet undiscovered attack vectors and payloads in the malicious code
The combination of stealthy targeted activation and the broad install base of the xz utilities creates a high risk for this supply chain attack to be further exploited in the wild.
"The upstream xz repository and the xz tarballs have been backdoored." - Freund noted. "At first, I thought this was a compromise of Debian's package, but it turns out to be upstream."
"One portion of the backdoor is *solely in the distributed tarballs*." "That line is *not* in the upstream source of build-to-host, nor is build-to-host used by xz in git. However, it is present in the tarballs released upstream, except for the "source code" links"
Response and Mitigation
Both CISA and major Linux distribution vendors have issued critical alerts, instructing users to immediately update to versions prior to the 5.6.0 backdoored release, such as 5.4.x.
High-priority remediation is recommended in these scenarios:
- Public internet-facing sshd servers - update xz IMMEDIATELY
- Running glibc-based distros with xz 5.6.0/5.6.1 - update as soon as possible
- Rolling release distributions - prioritize updating dev/unstable branches first
According to advisories from OS vendors, the primary distributions known to be impacted so far are:
- Fedora Linux 40 and Fedora Rawhide (the Fedora development branch)
- Debian unstable (Sid) [Acknowledge]
- Kali Linux [Affected] [Acknowledge]
- Amazon Linux (AWS) [Not Affected] [Acknowledge]
- OpenSUSE [Not Affected] [Acknowledge]
- Arch Linux [Post]
- Apache Projects [Not Affected] [Post]
Fedora has published updates reverting to the safe xz 5.4.x version. Red Hat has also urgently warned users to stop using any Fedora Rawhide instances immediately until patched, as this forms the basis for the upcoming Fedora 41 release.
While no versions of Red Hat Enterprise Linux appear affected currently, the backdoor may also exist in other Linux distributions that packaged the compromised xz 5.6.0/5.6.1 releases. Users should check with their OS vendors for updates and guidance.
At this time, we believe that version 5.4.6 is not vulnerable to this exploit. Here is how you can check if you're running the affected version:
xz --version
At this time, OpenBSD, FreeBSD and other BSD distributions leveraging their native compression utilities are not confirmed vulnerable. However, further analyses are still ongoing across the open-source community.
CISA issued an Advisory
In the advisory, CISA stated, "CISA and the open source community are responding to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1." "The malicious code may allow unauthorized access to affected systems."
CISA has recommended that developers and users downgrade XZ Utils to an uncompromised version such as the latest stable XZ Utils 5.4.6 release. They have also urged organizations to hunt for any signs of malicious activity on systems that had the compromised versions installed and to report any confirmed incidents to CISA for further investigation and incident response.
A Serious Supply Chain Attack
The fact that the malicious code was injected into the upstream xz source tarballs directly by a suspected bad actor makes this a supply chain attack of critical importance. Software supply chain compromises are an increasing threat vector that is very difficult to detect and prevent.
This issue highlights the importance of secure software development practices, code signing, and careful auditing of open-source codebases and build processes by vendors.
All Linux distribution vendors and users should promptly install the updated XZ packages or downgrade XZ Utils to an uncompromised version to remediate this vulnerability on affected systems.