Introduction
A vulnerability was discovered in the compression tool called XZ Utils (xz), and this vulnerability exposes an SSH backdoor. XZ Utils is installed on most Unix-like operating systems.
CVE-2024-3094 (CVSS v3.1: 10 [Critical]) was announced today by Microsoft software engineer Andres Freund. Andres said:
After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer: The upstream xz repository and the xz tarballs have been backdoored.
Versions 5.6.0 and 5.6.1 of xz are affected by this vulnerability.
This is a relatively sophisticated supply chain attack. ArsTechnica have reported that the developer whom created the backdoor in XZ Utils had contacted many Linux distribution maintainers to ask for the upgraded and affected version to be included in distribution images.
Affected Products
Debian stated that many Linux distributions have not incorporated the latest xz version yet however many other Linux distributions are confirmed to have made updates to affected xz versions available or are otherwise affected. The following is not an exhaustive list:
Kali Linux
Fedora 41 and Fedora Rawhide
openSUSE
Debian testing, unstable and experimental
xz installed by macOS Homebrew (brew) is also affected.
Recommendations
Many Linux distributions have already published patches or removed the affected versions from repositories. macOS Homebrew has removed 5.6.x.
Readers are recommended to check installed versions of xz across all Unix-like systems, meaning that Linux systems, containers, servers, etc., should all be checked; macOS devices and servers should be checked; and Windows Subsystem for Linux should be checked.
Versions 5.6.0/5.6.1 should be removed from affected systems and replaced with an unaffected version.