XZ Utils
– Date: 29th of March –
Threat Alert – XZ Utils – Backdoor in widely used Linux library might make your environment vulnerable to an external threat actor. Please continue to read this post for further information.
On the 29th of March, a Microsoft postgres developer found a backdoor in a popular and widely used Linux package called “XZ Utils” (5.6.0-1), CVE-2024-3094 (CVSS 10.0).
⚠️ XZ Utils is a collection of open-source tools and libraries for the XZ compression format, that are used for high compression ratios with support for multiple compressions algorithms. The backdoor is in the package’s liblzma library, which could be used by sshd (i.e., SSH daemon app) that listens for SSH connections.
⚠️ First it was thought to just be an authentication bypass but after careful investigation by many malware researchers it was determined to be RCE backdoor.
⚠️ The affected Linux distro’s are:
❗This backdoor could allow a malicious actor to “break sshd authentication,” allowing the attacker to gain access to an affected internet-facing system.
❗This package is widely used and is popular among many different Linux distributions.
❗No workaround is available. Only an upgrade or downgrade mitigates the security risk.
✅ Patch to the an earlier or later version than 5.6.0-1 of XZ Utils.
✅ Check whether liblzma is directly linked openssh.
For example in Arch Linux, you can confirm this by issuing the following command:
ldd "$(command -v sshd)"
✅ Remove all USB controllers from the Virtual Machine, disabling USB passthrough functionality, and rendering virtual USB devices inaccessible.
✅ Default keyboard and mouse input devices remain unaffected because they operate independently of the USB protocol.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
This website uses Google Analytics, Facebook Pixel, LinkedIn Insight tag and the Active Campaign tag to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
More information about our Cookie Policy