• Blog
  • What You Need to Know About the XZ Utils Backdoor


What You Need to Know About the XZ Utils Backdoor

Understand how to respond to the announcement of the XZ Utils backdoor.

On March 29th, 2024, a critical security flaw was uncovered in xz-utils, a suite of software widely used for lossless compression in the Linux and macOS ecosystems. This revelation has raised significant concerns due to the potential for unauthorized access and system compromise. The affected versions, namely 5.6.0 and 5.6.1, are part of the xz compression utility that plays a crucial role in compressing various file formats, including release tarballs, software packages, kernel images, and initramfs images. 

Various Linux distributions are susceptible to this vulnerability, such as Red Hat’s Fedora 41 and Fedora Rawhide. Red Hat assigned CVE-2024-3094 for this vulnerability with a CVSS score of 10.0 and warned its users to "PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity" until they reverted the compromised library and released the fixed versions.


Understanding the Impact of the XZ Utils Backdoor 

The backdoor discovered in xz-utils is intricate and indirect, manifesting only under specific conditions. While the full extent of its capabilities is still being investigated, we known it can be triggered by remote unprivileged systems connecting to public SSH ports. This activation can lead to performance issues and potentially compromise system integrity.


Are You Vulnerable to XZ Utils Backdoor?  

Your system may be vulnerable if you have xz or liblzma versions 5.6.0 or 5.6.1 installed, typically found in rolling-release distributions. Check if your system is running a vulnerable version of the package by running 
xz --version 
and verify the output is less than 5.6.0. 

Additional conditions required for the attack: 

  • Your system needs to be running a distribution utilizing glibc (for IFUNC support). 
  • Your system is using systemd in conjunction with patched OpenSSH, though other configurations may also be affected pending further analysis.


Immediate Actions

Given the severity of this vulnerability, prompt action is essential: 

  • If your system meets the criteria above, particularly using a .deb or .rpm based distro with glibc and xz-5.6.0 or xz-5.6.1, update immediately. 
  • Prioritize updating systems using systemd on publicly accessible SSH ports to mitigate immediate risks. 
  • If you suspect your system might have been compromised, make sure to go over audit logs and look for any anomalies.


Industry Response and Collaboration

The discovery of this backdoor has prompted collaborative efforts within the software community: 

  • GitHub has suspended accounts associated with the backdoor discovery, though challenges remain in auditing changes due to repository bans. 
  • OpenSUSE has provided a downgrade procedure for affected users, emphasizing the importance of community support and coordination during security incidents.


Technical Details of the Backdoor

The backdoor comprises several components designed to exploit specific conditions: 

  • Crafted test files within the git repository and modified build scripts to facilitate the injection of malicious code during the build process. 
  • IFUNC, a mechanism in glibc, is exploited for runtime hooking/redirection of OpenSSH's authentication routines, potentially leading to unauthorized access.


Acknowledging Discoveries and Contributors

  • Andres Freund's discovery and reporting of the issue, along with the efforts of security teams, have been instrumental in coordinating responses and pushing out fixes. 
  • Lasse Collin, a maintainer of xz-utils, has provided updates and is collaborating with the community to address the security implications.


Conclusion and Caution 

As investigations continue, it is crucial to remain vigilant and prioritize system updates to mitigate potential risks posed by the xz backdoor. This ongoing situation underscores the importance of proactive security measures and collaborative efforts within the software supply chain to safeguard against evolving threats. 

We will update this post as more details emerge.  

Contact us if you have questions or concerns about this vulnerability.  

Share this guide

Published on
March 30, 2024

Book a 30 minute demo including the option to analyze your own software supply chain, if desired.