Malicious SSH backdoor sneaks into xz, Linux world’s data compression library

Red Hat on Friday warned that a malicious backdoor found in the widely used data compression software library xz may be present in instances of Fedora Linux 40 and in the Fedora Rawhide developer distribution.

The IT giant said the malicious code, which appears to provide remote backdoor access via OpenSSH and systemd at least, is present in xz 5.6.0 and 5.6.1. The vulnerability has been designated CVE-2024-3094. It is rated 10 out of 10 in CVSS severity.

Users of Fedora Linux 40 may have received 5.6.0, depending upon the timing of their system updates, according to Red Hat. And users of Fedora Rawhide, the current development version of what will become Fedora Linux 41, may have received 5.6.1. Fedora 40 and 41 have not been officially released yet; version 40 is due out next month.

Users of other Linux and OS distributions should check to see which version of the xz suite they have installed. The infected versions, 5.6.0 and 5.6.1, were released on February 24 and March 9, respectively, and may not been incorporated into too many people’s deployments.

This supply-chain compromise may have been caught early enough to prevent widespread exploitation, and it may only mainly affect bleeding-edge distros that picked up the latest xz versions right away.

Debian Unstable and Kali Linux have indicated they are, like Fedora, affected; all users should take action to identify and remove any backdoored builds of xz.

“PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity,” the IBM subsidiary’s advisory shouted from the rooftops today. “Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed.”

Red Hat Enterprise Linux (RHEL) is not affected.

The malicious code in xz versions 5.6.0 and 5.6.1 has been obfuscated, Red Hat says, and is only fully present in the source code tarball. Second-stage artifacts within the Git repo get turned into malicious code through the M4 macro in the repo during the build process. The resulting poisoned xz library is unwittingly used by software, such as the operating system’s systemd, after the library has been distributed and installed. The malware appears to have been engineered to alter the operation of OpenSSH server daemons that employ the library via systemd.

“The resulting malicious build interferes with authentication in sshd via systemd,” Red Hat explains. “SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access.”

This authentication interference has the potential to allow a miscreant to break sshd authentication and remotely gain unauthorized access to an affected system. In summary, the backdoor appears to work like this: Linux machines install the backdoored xz library – specifically, liblzma – and this dependency in turn is ultimately used in some way by the computer’s OpenSSH daemon. At that point, the poisoned xz library is able to meddle with the daemon, and potentially allow an unauthorized miscreant to log in remotely.

As Red Hat put it:

A post to the Openwall security mailing list by Andres Freund, PostgreSQL developer and commiter, explores the vulnerability in greater detail.

AI hallucinates software packages and devs download them


“The backdoor initially intercepts execution by replacing the ifunc resolvers crc32_resolve(), crc64_resolve() with different code, which calls _get_cpuid(), injected into the code (which previously would just be static inline functions). In xz 5.6.1 the backdoor was further obfuscated, removing symbol names,” Freund explains, with the caveat that he’s not a security researcher or reverse engineer.

Freund speculates that the code “seems likely to allow some form of access or other form of remote code execution.”

The account name associated with the offending commits, together with other details like the time those commits were made, has led to speculation that the author of the malicious code is a sophisticated attacker, possibly affiliated with a nation-state agency.

The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has already issued an advisory here. ®


This website uses cookies. By continuing to use this site, you accept our use of cookies.