Nynox advisory - Threat alert -

XZ Utils

– Date: 29th of March –

Threat Alert – XZ Utils – Backdoor in widely used Linux library might make your environment vulnerable to an external threat actor. Please continue to read this post for further information.

On the 29th of March, a Microsoft postgres developer found a backdoor in a popular and widely used Linux package called “XZ Utils” (5.6.0-1), CVE-2024-3094 (CVSS 10.0).

What’s going on?

⚠️ XZ Utils is a collection of open-source tools and libraries for the XZ compression format, that are used for high compression ratios with support for multiple compressions algorithms. The backdoor is in the package’s liblzma library, which could be used by sshd (i.e., SSH daemon app) that listens for SSH connections.

⚠️ First it was thought to just be an authentication bypass but after careful investigation by many malware researchers it was determined to be RCE backdoor.

⚠️ The affected Linux distro’s are:

  • Fedora Rawhide (the current development version of Fedora Linux) and Fedora Linux 40 beta
  • openSUSE Tumbleweed and openSUSE MicroOS included an affected xz version between March 7th and March 28th.
  • See whether XZ has versions 5.6.0-1, if so please update immediately to 5.6.1-2.
  • Debian Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.
  • Kali Linux (Update from March 26 – 29)
Visual with diamond to announce threat alert

❗This backdoor could allow a malicious actor to “break sshd authentication,” allowing the attacker to gain access to an affected internet-facing system.
❗This package is widely used and is popular among many different Linux distributions.
❗No workaround is available. Only an upgrade or downgrade mitigates the security risk.

How does Nynox protect its customers?
🛡️ Personalized assistance to mitigate the risk

🛡️ 24×7 Incident Response (CSIRT)
🛡️ 24×7 monitoring of customer environments

✅ Patch to the an earlier or later version than 5.6.0-1 of XZ Utils.

But what if you can’t?

✅ Check whether liblzma is directly linked openssh.

For example in Arch Linux, you can confirm this by issuing the following command:

ldd "$(command -v sshd)"

But what if yOu can’t? 

Remove all USB controllers from the Virtual Machine, disabling USB passthrough functionality, and rendering virtual USB devices inaccessible.

Default keyboard and mouse input devices remain unaffected because they operate independently of the USB protocol.

In need of assistent? We're here for you!
Our Latest insights