Critical Linux Threat: XZ Backdoor Opens Door to SSH Hijacking

In the popular compression utility xz, widely utilized across most Linux distributions, a hidden backdoor has been discovered. This malicious code, embedded within the utility’s package, poses a critical threat to the supply chain, potentially allowing perpetrators unauthorized access to SSH services.

Microsoft software engineer Andres Froun detected the backdoor and reported it to Openwall, a developer of Linux distributions, on a Friday morning. Malicious .m4 files added to the xz version 5.6.0 archives, released on February 24, contained automake instructions for compiling the compression library liblzma, modifying its functions for unauthorized access.

These alterations in liblzma could compromise sshd, given that many Linux distributions incorporate libsystemd. This component, responsible for activating systemd notifications, relies on liblzma, making it a critical element in the OpenSSH architecture.

backdoored Python libraries

The added .m4 files were heavily obfuscated, evidently to conceal their malevolent function, while being introduced by a user who had been an active participant in the xz project for two years.

“Based on activity observed over several weeks, it can be surmised that either the developer was directly involved in the malicious activity or their system suffered a significant security breach. However, the latter seems less likely, considering their communication in mailing lists regarding the mentioned ‘fixes’,” Froun reported, commenting on the changes in version xz 5.6.1. These changes, intended to rectify valgrind errors and prevent crashes, appear to have been prompted by the embedded backdoor.

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about this issue, tracked as CVE-2024-3094 and rated with the maximum CVSS score of 10, alerting developers and users to revert to a secure version of xz, such as version 5.4.6.

Froun noted that versions 5.6.0 and 5.6.1 of xz had not yet been widely integrated by Linux distributions, and where they had been integrated, it was primarily in preliminary releases.

Red Hat published an urgent security alert on Friday, urging users to immediately cease using any instances of Fedora Rawhide due to the potential threat of compromise through xz. The alert also recommends users revert Fedora Linux 40 to a version using xz 5.4.

Froun discovered the backdoor while testing the latest unstable version of Debian. The Debian Security Advisory confirmed the inclusion of the vulnerable utility in the testing, unstable, and experimental releases of the distribution. The document indicated that the package version was reverted to 5.4.5, with a recommendation for users to update immediately. Preliminary data suggests that stable releases of Debian were not affected.

CVE-2024-3094 also impacts the HomeBrew package manager for macOS. Furthermore, it has been confirmed that Kali Linux — a specialized distribution from OffSec for penetration testing — was also exposed to this vulnerability from March 26 to March 29.