On March 29th, 2024, a backdoor was identified in versions 5.6.0 and 5.6.1 of XZ Utils. Under certain conditions, this backdoor may allow remote access to the targeted system. This disclosure was posted to the Openwall mailing list. The discoverer mentions that this supply-chain attack was discovered while investigating SSH performance issues. This compromise is identified as CVE-2024-3094.
XZ Utils and Libs
XZ Utils is a command line tool that contains functionality for compression and decompression of XZ files. It is found as an upstream package for almost all distributions and can also be downloaded and compiled independently.
Technical Details of CVE-2024-3094:
The upstream obfuscated code was discovered in the source tarballs of the affected xz versions. This malicious code has not been detected in the Git distribution, which lacks the M4 macro. Based on the discoverers comments on the mailing list, this M4 macro is responsible for the backdoor build process. Post-detection of this macro is second-stage artifacts found in the Git repository are injected during the binary compilation process.
Impact of this Malicious Code:
Red Hat mentions that “the resulting malicious build interferes with authentication in sshd via systemd. Under the right circumstances, this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.”
Affected Versions:
XZ Utils version 5.6.0 and 5.6.1 are vulnerable. These versions on testing, unstable, or other bleeding edge distribution should be considered compromised.
Affected Distributions:
This is a developing list of operating systems and distributions that have reported if they are affected by this vulnerability:
Operating System | Comments | Affected versions |
Red Hat | Not affected | |
Fedora | Fedora 41 and Fedora Rawhide | |
Debian | Not affected | |
Kali Linux | – | Any Kali installations updated between March 26th and March 29th |
OpenSUSE | Tumbleweed snapshot (20240328 or later) was compiled to remove the backdoor | Tumbleweed snapshot 20240328 and earlier versions |
Amazon Linux | Not affected | |
Alpine | – | 5.6.0 5.6.0-r0 5.6.0-r1 5.6.1 5.6.1-r0 5.6.1-r1 |
Qualys QID Coverage:
The Qualys Research team is building detections to enable customers to identify the risk posed by this vulnerability in their environment. Following are the details of this QID:
QID | Title | ETA |
379548 | Backdoored Versions of XZ Utils Detected (CVE-2024-3094) | March 29th 2024 |
Additional Information for SOC teams:
SOC and Incident Responders can take the following actions to help mitigate the risk imposed by CVE-2024-3094:
- Follow CISA advice to downgrade to an uncompromised XZ Utils version (earlier than 5.6.0)
- Follow the guidance provided in the table above for each Linux distribution.
- Incident response processes to hunt for suspicious activity on systems where affected versions have been installed should also be invoked.