In a significant security alert, a backdoor was detected in XZ Utils, a set of compression utilities for the XZ format that is commonly integrated across numerous Linux distributions. This vulnerability, cataloged as CVE-2024-3094, poses a grave risk by allowing unauthorized remote access to affected systems.
The security flaw impacts versions 5.6.0, released in late February, and 5.6.1, released on March 9, of the xz libraries. These compromised versions harbor malicious code capable of bypassing sshd authentication, enabling a threat actor to gain comprehensive remote control over the entire system.
The backdoor was discovered inadvertently by Andres Freund, a PostgreSQL developer and a software engineer at Microsoft. Freund’s investigation into unusual behaviors observed on Debian sid installations – such as excessive CPU usage during SSH logins.
“After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer: The upstream xz repository and the xz tarballs have been backdoored. At first I thought this was a compromise of Debian’s package, but it turns out to be upstream.”
The malicious code within these affected versions is cunningly concealed, with obfuscation techniques employed to mask the true nature of the exploit. Red Hat’s analysis reveals that the Git distribution of the XZ Utils does not contain the M4 macro responsible for initiating the build process of the nasty code.
However, the secondary components necessary for the code’s injection during the build phase are present, awaiting the presence of the malicious M4 macro to activate them.
Okay, what’s an M4? In short, it is a powerful macro processor commonly used in software development and system administration for tasks such as code generation, text manipulation, and configuration file preprocessing.
In this case, the “.m4” files are used to compile the backdoored liblzma, which in turn is used by libsystemd in the systemd-notify part – a notify service manager about start-up completion and other daemon status changes.
So, when an OpenSSH server starts, liblzma is also called. When this happens, the “RSA_public_decrypt” function is redirected to malware code that bypasses authentication, thus providing direct access to the system.
Shortly after reports of the compromised software repository spread, GitHub disabled access to it, and it is currently unavailable.
Shockingly, initial findings indicate that the harmful modifications were submitted by a user known as JiaT75. He is recognized as one of the two primary developers behind the XZ Utils and boasts several years of contribution to the project’s development.
At the same time, two days ago, a user who had just signed up to an Ubuntu developer site under the name Jia Tan proposed including the compromised package in the Ubuntu repositories, presenting it as a routine bugfix update. Fortunately, that didn’t happen.
“Given this has been reverted in Debian, it should not be synced into Ubuntu.”
A Fedora developer shared that a similar situation unfolded with them, with a push to include the package in both the upcoming Fedora 40 beta release and the subsequent Fedora 41.
“Very annoying – the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it’s “great new features”. We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo.”
This situation reveals a calculated and brazen premeditation behind the act, demonstrating a bold determination to infiltrate the most widely used Linux distributions by millions of users. The clear intent was to embed a backdoor into them, from which it would then propagate to the numerous derivatives through their routine updates.
Now, let’s take a moment to discuss the XZ package. It’s worth mentioning because some of you might not be familiar with it, even though it’s virtually a staple in every Linux system.
What XZ Utils is in Linux?
XZ Utils in Linux is a collection of utilities designed to compress and decompress files in XZ format. XZ is a lossless data compression format and software that boasts a high compression ratio, making it an attractive option for reducing file sizes for storage or transmission.
The XZ Utils package typically includes tools such as xz
for compressing files, unxz
or xz --decompress
for decompressing files, and various other tools for testing, comparing, and fixing files in the XZ format.
These utilities are integral to most Linux distributions, as they are commonly used for managing compressed files and archives. System administrators and users utilize the tools for tasks ranging from compressing log files to reduce disk space usage to distributing and installing software packages that are often compressed using the XZ format.
Which Linux Distributions Are Affected?
Now, let’s address a crucial concern: Is the Linux distribution you’re currently using impacted by CVE-2024-3094? Below, we’ve compiled the latest official statements from the major players in the Linux ecosystem.
Debian
“Right now no Debian stable versions are known to be affected. Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1. The package has been reverted to use the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1. Users running Debian testing and unstable are urged to update the xz-utils packages.”
Fedora
“At this time, Fedora Rawhide users are likely to have received the tainted package and Fedora Linux 40 Beta users may have received the package if they opted into updating from testing repositories. Fedora Linux 40 Beta users only using stable repositories are NOT impacted. Fedora Linux 39 and 38 users are also NOT impacted. PLEASE IMMEDIATELY STOP USAGE FEDORA RAWHIDE for work or personal activity.”
Red Hat
“No versions of Red Hat Enterprise Linux (RHEL) are affected.”
Arch Linux
“The following release artifacts contain the compromised xz:
- installation medium 2024.03.01
- virtual machine images 20240301.218094 and 20240315.221711
- container images created between and including 2024-02-24 and 2024-03-28
The affected release artifacts have been removed from our mirrors. We strongly advise against using affected release artifacts and instead downloading what is currently available as latest version! It is strongly advised to do a full system upgrade right away if your system currently has xz version 5.6.0-1 or 5.6.1-1 installed.”
SUSE / openSUSE
“SUSE Linux Enterprise and Leap are built in isolation from openSUSE. Code, functionality and characteristics of Tumbleweed are not automatically introduced in SUSE Linux Enterprise and/or Leap. It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap.
openSUSE Maintainers have rolled back the version of xz on Tumbleweed on March 28th and have released a new Tumbleweed snapshot (20240328 or later) that was built from a safe backup.”
Mageia
“The alert concerns versions 4.6.0 and 4.6.1 of the software. Mageia does not use and has never used these versions. Mageia users therefore have no particular action to take.”
OpenMandriva
“While the cooker and rolling branches of OpenMandriva Lx do include xz 5.6.1 and the problematic code is inside the source tarball, we currently believe that OpenMandriva is NOT vulnerable to this backdoor. This is because the backdoor relies on implementation details that seem to exist only if openssh was built with gcc (OpenMandriva builds openssh with clang).
Users of Rock/5.0 are not affected because the version in 5.0 predates the addition of the malicious code.
However, given the high impact of this, and the fact that it’s hard to be 100% sure we’re safe, we’re releasing an update with the backdoor code removed (xz 5.6.1-2), and advise everyone to update the package quickly even if it is unlikely to have any effect.”
Kali
“The impact of this vulnerability affected Kali between March 26th to March 29th, during which time xz-utils 5.6.0-0.2 was available. If you updated your Kali installation on or after March 26th, but before March 29th, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability.”
Alpine
“We presently believe Alpine was not affected in practice. The backdoor targeted sshd binaries linked with libsystemd and glibc, which is not the case in Alpine’s openssh-server package.”
Of course, we’ll closely monitor developments and provide updates as the situation evolves.