Urgent Action Needed: Backdoor detected in xz package used by mostly Linux Distributions

A backdoor was detected in xz software, which is widely used as a file compression application in Linux distributions. SSH authentication mechanisms of clients affected by the vulnerability can be exploited. In this article, we explained the vulnerability and the precautions to be taken.

What is xz and where is it used and for what purpose?

xz software is a lossless data compression program and file format that uses the LZMA/LZMA2 compression algorithm to achieve high compression rates and fast decompression times. It is widely used in Unix-like operating systems, including Linux distributions and BSD variants, to package software and archive files in order to save disk space and reduce transmission time over networks. Due to its efficiency and compatibility, xz is often the preferred choice for deploying large code bases, documents, and datasets. [1]

What is Liblzma?

Liblzma is a software library that provides the basic algorithms for the LZMA and LZMA2 compression formats, known for their high compression ratios and relatively fast decompression speeds. It is the backbone of the xz utility that allows software developers and system administrators to integrate xz compression and decompression capabilities directly into their applications or scripts. Used primarily in Unix-like operating systems, liblzma is crucial for efficient data archiving, software distribution, and processing of large data sets where space savings are important. [2]

About the Backdoor Vulnerability

On 28 Mar 2024, a person using the developer's name took to a developer site for Ubuntu to request that the backdoored version 5.6.1 be included in production releases because it fixed bugs that caused a tool known as Valgrind to malfunction. [3]

On the same day, Andres Freund announced that he had detected a backdoor as a result of examining an anomaly he detected in versions 5.6.0 and 5.6.1 of the xz software. According to their findings, there is an obfuscated script in the https://github.com/tukaani-project/xz/releases/tag/v5.6.0 and https://github.com/tukaani-project/xz/releases/tag/v5.6.1 builds. [4].

Based on the notification, cyber security experts started to investigate the issue. Following this, statements and announcements were made. The CVE-2024-3094 code for the Backdoor vulnerability was shared by NVD [5].

In the statement made by Red Hat, it was announced that Red Hat Enterprise Linux (RHEL) versions are not affected by the vulnerability [6]. In another statement made by Red, he stated that Fedora Linux 40 beta users were affected by the vulnerability and asked their users to downgrade the xz software to version 5.4.x. [7]

How To Check If You Are Vulnerable And What Precautions To Take

There are many currently supported Linux distributions. Additionally, on Linux platforms, repository definition can also be made by the user. For this reason, we recommend that every Linux user check their device.

In the investigations, it was determined that the backdoor made the SSH authentication mechanism exploitable [8]. For this reason, clients using the vulnerable version must turn off SSH services until they downgrade to the secure version.

You can find out whether your Linux-based computer contains the vulnerable version with the following command.

xz –V

If you see “xz (XZ Utils) 5.6.0” or a higher version as this command output, we recommend that you downgrade the xz package. You can do this by using the following commands appropriate to your package manager.

APT:

Find out the xz versions available in the repository

apt list -a xz

Downgrade to a version prior to 5.6.0 in the repository

sudo apt-get install xz=5.4.3

YUM:

List Available Versions

yum list available --showduplicates xz

Go Back to a Specific Version

sudo yum downgrade xz-5.4.3

DNF:

List Available Versions

dnf list --showduplicates xz

Go Back to a Specific Version

sudo dnf downgrade xz-5.4.3

The occurrence of the vulnerability described above, its detection, publication of the announcements and preparation of this article took less than 36 hours. As you can see, interaction in cyberspace is very fast, and those who cannot keep up with this speed remain vulnerable and are exposed to cyber attacks. Become a member of securityforeveryone.com to follow up-to-date information and take quick actions against vulnerabilities and stay safe.

References

1. https://github.com/tukaani-project/xz
2. https://xz.tukaani.org/xz-utils/liblzma-api/
3. https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
4. https://www.openwall.com/lists/oss-security/2024/03/29/4
5. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
6. https://access.redhat.com/security/cve/CVE-2024-3094
7. https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
8. https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils