xz Utils

April 29, 2024

Summary

xz utils is a popular data compression library found in many Linux distributions. The critical vulnerability found in recent versions of the xz library, liblzma, includes a malicious code injection designed to allow unauthorized remote access[5].

When a specific set of conditions are met, requiring a vulnerable OS with a vulnerable version of xz and a publicly-accessible sshd, it is possible that an attacker, possessing a specific private key, may be able to execute arbitrary commands on the system[6].

Impact

Remote Code Execution/Unauthorized Remote Access

Vulnerable

xz versions 5.6.0 (released February 24) and 5.6.1 (released March 9) are affected. Affected packages are present in Fedora 41 and Fedora Rawhide[2], Arch linux, Kali Linux, openSUSE tumbleweed and microOS, and Debian testing, unstable, and experimental versions[3]. 

No versions of Red Hat Enterprise Linux (RHEL) are affected[2]. 

Recommendations

xz utils 5.6.x is no longer considered trustworthy and as a precaution, we recommend downgrading any packages and OS systems to use xz utils 5.4.6. 

References

  1. https://nvd.nist.gov/vuln/detail/CVE-2024-3094

  2. https://access.redhat.com/security/cve/CVE-2024-3094

  3. https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ 

  4. https://github.com/orgs/Homebrew/discussions/5243 

  5. https://www.openwall.com/lists/oss-security/2024/03/29/4 

  6. https://boehs.org/node/everything-i-know-about-the-xz-backdoor