Cleanup backdoored `xz` 5.6.0-5.61 (CVE-2024-3094)

_arch.sh

#!/bin/bash

# Upgrade an Arch system.
pacman -Syu

# Upgrade container images with Docker.
docker image pull archlinux/archlinux

# Upgrade container images with Podman.
podman image pull archlinux/archlinux

_macos-homebrew.sh

#!/bin/bash

# Check for backdoored xz binary or lzma library.
xz --version | grep '5.6.1'

# Check for backdoored files in Homebrew cache.
ls -l ~/Library/caches/homebrew | grep 'xz\|lzma' | grep '5.6.1'

# Clean up the backdoored xz binary.
brew cleanup xz --prune=0
brew reinstall xz
brew cleanup
brew upgrade
xz --version

CVE-2024-3094.md

Backdoored xz and liblzma 5.6.0 - 5.6.1 (CVE-2024-3094)

CVSS 10.0 (critical) backdoor in xz and liblzma 5.6.0-5.6.1 that targets SSH service authentication.

Filed as CVE-2024-3094

$ xz --version
xz (XZ Utils) 5.6.1
liblzma 5.6.1

Primary Sources

Backdoor in upstream xz/liblzma leading to SSH server compromise (openwall.com)

The upstream xz repository and the xz tarballs have been backdoored.

...

Due to the working of the injected code (see below), it is likely the backdoor can only work on glibc based systems. Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux distributions, and where they have, mostly in pre-release versions.

...

openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.

...

Red Hat assigned this issue CVE-2024-3094

CVE-2024-3094 Detail (nvd.nist.gov)

CVSS: 10.0 CRITICAL Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Other Sources

Backdoor found in widely used Linux utility breaks encrypted SSH connections (arstechnica)

The malicious versions, researchers said, intentionally interfere with authentication performed by SSH, a commonly used protocol for connecting remotely to systems. SSH provides robust encryption to ensure that only authorized parties connect to a remote system. The backdoor is designed to allow a malicious actor to break the authentication and, from there, gain unauthorized access to the entire system. The backdoor works by injecting code during a key phase of the login process.

https://news.ycombinator.com/item?id=39865810

Several people, including two Ars readers, reported that the multiple apps included in the HomeBrew package manager for macOS rely on the backdoored 5.6.1 version of xz Utils. HomeBrew has now rolled back the utility to version 5.4.6. Maintainers have more details available here.

https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/

MacOS

https://github.com/orgs/Homebrew/discussions/5243#discussioncomment-8956759

Question: Shouldn't the dangerous 5.6.1 files be wiped? After brew upgrade, there is still remains on my computer of the 5.6.1 in the cache.

...

Thank you. The prune flag removed the dangerous files from cache. Excellent.

Arch Linux

https://archlinux.org/news/the-xz-package-has-been-backdoored/

TL;DR: Upgrade your systems and container images now! The xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1) contain this backdoor. The following release artifacts contain the compromised xz:

• installation medium 2024.03.01
• virtual machine images 20240301.218094 and 20240315.221711
• container images created between and including 2024-02-24 and 2024-03-28