Nynox advisory - Threat alert -

XZ Utils

– Date: 29th of March –

Threat Alert – XZ Utils – Backdoor in widely used Linux library might make your environment vulnerable to an external threat actor. Please continue to read this post for further information.

On the 29th of March, a Microsoft postgres developer found a backdoor in a popular and widely used Linux package called “XZ Utils” (5.6.0-1), CVE-2024-3094 (CVSS 10.0).

What’s going on?

⚠️ XZ Utils is a collection of open-source tools and libraries for the XZ compression format, that are used for high compression ratios with support for multiple compressions algorithms. The backdoor is in the package’s liblzma library, which could be used by sshd (i.e., SSH daemon app) that listens for SSH connections.

⚠️ First it was thought to just be an authentication bypass but after careful investigation by many malware researchers it was determined to be RCE backdoor.

⚠️ The affected Linux distro’s are:

Fedora Rawhide (the current development version of Fedora Linux) and Fedora Linux 40 beta
openSUSE Tumbleweed and openSUSE MicroOS included an affected xz version between March 7th and March 28th.
See whether XZ has versions 5.6.0-1, if so please update immediately to 5.6.1-2.
Debian Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.
Kali Linux (Update from March 26 – 29)

WHY IS THIS VULNERABILITY SERIOUS?

❗This backdoor could allow a malicious actor to “break sshd authentication,” allowing the attacker to gain access to an affected internet-facing system.
❗This package is widely used and is popular among many different Linux distributions.
❗No workaround is available. Only an upgrade or downgrade mitigates the security risk.