CVSS 10.0 (critical) backdoor in xz
and liblzma
5.6.0-5.6.1 that targets SSH service authentication.
Filed as CVE-2024-3094
$ xz --version
xz (XZ Utils) 5.6.1
liblzma 5.6.1
Backdoor in upstream xz/liblzma leading to SSH server compromise (openwall.com)
The upstream xz repository and the xz tarballs have been backdoored.
...
Due to the working of the injected code (see below), it is likely the backdoor can only work on glibc based systems. Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux distributions, and where they have, mostly in pre-release versions.
...
openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
...
Red Hat assigned this issue CVE-2024-3094
CVE-2024-3094 Detail (nvd.nist.gov)
CVSS: 10.0 CRITICAL Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Backdoor found in widely used Linux utility breaks encrypted SSH connections (arstechnica)
The malicious versions, researchers said, intentionally interfere with authentication performed by SSH, a commonly used protocol for connecting remotely to systems. SSH provides robust encryption to ensure that only authorized parties connect to a remote system. The backdoor is designed to allow a malicious actor to break the authentication and, from there, gain unauthorized access to the entire system. The backdoor works by injecting code during a key phase of the login process.
https://news.ycombinator.com/item?id=39865810
Several people, including two Ars readers, reported that the multiple apps included in the HomeBrew package manager for macOS rely on the backdoored 5.6.1 version of xz Utils. HomeBrew has now rolled back the utility to version 5.4.6. Maintainers have more details available here.
https://github.com/orgs/Homebrew/discussions/5243#discussioncomment-8956759
Question: Shouldn't the dangerous
5.6.1
files be wiped? Afterbrew upgrade
, there is still remains on my computer of the5.6.1
in the cache....
Thank you. The prune flag removed the dangerous files from cache. Excellent.
https://archlinux.org/news/the-xz-package-has-been-backdoored/
TL;DR: Upgrade your systems and container images now! The xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1) contain this backdoor. The following release artifacts contain the compromised xz:
- installation medium
2024.03.01
- virtual machine images
20240301.218094
and20240315.221711
- container images created between and including
2024-02-24
and2024-03-28