CVE-2024-3094: Backdoor in xz 5.6.0 and 5.6.1

What is the problem

Words have been going around the Internet that a 10.0 severity vulnerability has been found in the xz package used by the SSHd. This allows an attacker to send commands via SSH protocol to systems running SSHd using a vulnerable version of xz package.

More specifically, an obfuscated backdoor was introduced in xz version 5.6.0 and 5.6.1 in February 2024. This was discovered in late March 2024.

An attack timeline can be found here.

How does the vulnerability work

xz 5.6.0 and 5.6.1 have an obfuscated backdoor that allows an attacker to send arbitrary shell commands signed by a private key owned by the attacker to a system running a vulnerable SSHd server software. The (likely malicious) command payload is verified using a hardcoded public key and then executed, or passed downstream for normal RSA decryption if it fails indicating the payload as normal SSH traffic not sent by an attacker.

Who may be responsible

Current belief by the security community at large – pending a detailed examination of the backdoor – is it is likely the work of a nation-state linked Advanced Persistent Threat (APT) actor, given the long period of premeditated infiltration into the xz project between 2021 till 2024 to become a maintainer.

As such, this vulnerability warrants serious attention.

Who/what are affected

Anyone who is running a Linux distribution with the affected xz versions is vulnerable. The known list of affected Linux distributions and versions is as follows:

1. Fedora (40, 41, rawhide)
2. Debian (testing, unstable (sid), experimental)
3. OpenSUSE (Tumbleweed)
4. Kali (updated between March 26th to March 29th)
5. Arch (with xz 5.6.0-1)
6. Alpine (Edge (active development))

As we can see, they are mostly either Linux versions under development, or distributions with a rolling release policy.

Most enterprise users on Red Hat Enterprise Linux (RHEL), SUSE Enterprise and Ubuntu Long Term Support (LTS) releases are unaffected. No action is needed.

Recommended remediation and mitigation measures

Affected users are advised to update their xz to the latest version immediately.

Further Readings

1. Linux xz Backdoor Damage Could Be Greater Than Feared
2. XZ Utils backdoor update: Which Linux distros are affected and what can you do?
3. Critical XZ Utils Supply Chain Compromise Affects Multiple Linux Distributions (CVE-2024-3094)
4. backdoor in upstream xz/liblzma leading to ssh server compromise