XZ Backdoor: A Stealthy Attack on Linux Systems (CVE-2024-3094)
On March 29, 2024, a serious security vulnerability was discovered in the XZ Utils library. This library is used by many Linux distributions for data compression. The vulnerability, which has been assigned the CVE identifier CVE-2024-3094, is a backdoor that could allow attackers to remotely take control of vulnerable systems.
The backdoor was discovered by Andres Freund, a principal software engineer at Microsoft. Freund found that the backdoor was hidden in two seemingly innocuous test files that were added to the XZ repository in February 2022. The backdoor was then activated in malicious code that was added to the library in June 2023.
The backdoor works by replacing certain characters in the test files with other characters. When the XZ Utils library decompresses these files, the malicious code is executed.
This code can then be used as entrypoint to inject malicious code in sshd, altering the authentication flow.
The vulnerability affects XZ Utils versions 5.6.0 and 5.6.1. These versions were released in March 2024.
Here are some of the things that system administrators can do to protect their systems from this vulnerability:
- Update XZ Utils to the latest version. As of this writing, the latest version is 5.6.2, which was released on March 30, 2024. This version includes a fix for the backdoor vulnerability.
- Scan your systems for signs of infection. There are a number of security scanners that can be used to detect the XZ backdoor.
- Change your SSH passwords. If you believe that your system may have been infected by the backdoor, it is important to change your SSH passwords as soon as possible.