Backdoor injected into XZ compression tools in several Linux distributions

Due to unusually high CPU usage and error messages when using remote login via SSH, software developer Andres Freund noticed a massive security hole in his Debian SID installation. The developer was able to identify the cause as XZ-Tools, a collection of compression tools included in many Linux distributions and is sometimes used by SSH.

The vulnerability, dubbed CVE-2024-3094, allows unauthorised remote access to affected Linux systems. The versions affected by the backdoor are the XZ utilities and the associated liblmza library in versions 5.6.0 from late February and 5.6.1 from 9 March. These compromised XZ versions, introduced by one of the XZ developers himself, bypass SSH authentication, allowing attackers to gain full remote control of the system.

Software developer Andres Freund writes about his discovery of the vulnerability: “After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer: The upstream xz repository and the xz tarballs have been backdoored. At first I thought this was a compromise of Debian’s package, but it turns out to be upstream.”

The backdoor code was only partially hidden in the open source code on GitHub, and GitHub itself has suspended the XZ Utilities account for the time being. Affected Linux distributions, for which updates are already available, with the exception of Fedora Rawhide, are

• Debian Testing, Unstable and Experimental
• Fedora Rawhide
• Arch Linux
• openSUSE Tumbleweed

Distributions such as Debian Stable, Fedora 39, openSUSE Leap or Red Hat Enterprise Linux (RHEL) are not affected by the vulnerability in XZ Utilities. If you are using one of the above Linux distributions, you can check the version number of XZ Utilities in the console with xz -version. Ideally, a fresh installation is recommended, especially if SSH access is enabled on the Linux system.