A malicious backdoor has been discovered in the XZ Utils package, a popular data compression library used in major Linux distributions, affecting XZ Utils versions 5.6.0 and 5.6.1. The vulnerability could allow an attacker to gain unauthorized access to the system, and is being tracked as CVE-2024-3094 with a CVSS score of 10 – the highest possible score.

Because XZ Utils is a dependency in many other packages, including the OpenSSH daemon used for remote access to Linux hosts, this is a particularly concerning finding. Therefore it’s important that organizations immediately downgrade any vulnerable XZ Utils versions and revert to a stable version of any affected Linux distributions. In addition, if you had any systems that were vulnerable, you must treat this as a potential security incident and take action accordingly.

Fortunately, Orca Security’s telemetry shows that very few of our customers’ cloud workloads are impacted as the known, affected platforms are pre-release versions. These versions may be used for early testing but, typically, wouldn’t be used to run production workloads. Across the billions of customer assets scanned and secured by Orca Security, we saw fewer than 30 alerts. Out of the total, 16% were for running containers and only 8% were for running virtual machines.  The remainder, 76%, were for container images which represent a potential risk but not, as they’re not running, an immediate risk.

While the overall scope for impact was low (and, hopefully, largely mitigated now), the publication of sample exploit code on April 1st, 2024 highlights the potential for any accessible machine running affected versions of the XZ Utils library to be compromised. This strengthens our recommendations to closely investigate any asset that is found to be vulnerable.

In this blog, we explain what CVE-2024-3094 is, why it’s critical, which Linux distributions are affected, and how to mitigate it.

Orca shows if you have any vulnerable packages in your cloud environment

What is the package XZ Utils?

This package is a free, CLI controlled, data-lossless compression software that exists in many popular Linux distributions and contains the programs lzma and xz.

How was the vulnerability found?

The reporter of the vulnerability noticed concerning behavior involving liblzma (which is part of the XZ package) where SSH logins through some systems took longer than expected and had a high CPU rate, as well as multiple valgrind errors. This led him to the understanding that the upstream XZ repository and the XZ tarballs had been backdoored.

About CVE-2024-3094

Malicious code was discovered in the upstream tarballs of XZ Utils, with version 5.6.0 and 5.6.1.
The actual malicious code and its executions are highly obfuscated, and are fetched during the build process of liblzma from a disguised test file existing in the source code. This file is used for changing liblzma code. This change allows any software linked to the library intercepting and modifying the data interaction with it.

The malicious injection is only included in the tarball download package. The Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present. Without the merge into the build, the 2nd-stage file is innocuous. In the finder’s demonstration, it was found that it interfered with the OpenSSH daemon. While OpenSSH is not directly linked to the liblzma library, it does communicate with systemd in such a way that exposes it to the malware due to systemd linking to liblzma. Such intervention could result in unauthenticated access to the affected system.

How was the backdoor introduced?

While there’s still much to know, it appears that a GitHub account, JiaT75, was created by an unknown person or organization in 2021. The account, which has now been suspended by GitHub, contributed to several compression-related libraries before focusing on the XZ Libs project. Reporting indicates that, by 2023, the original maintainer of XZ Libs had turned over control of the repo to JiaT75. JiaT75 then took action later in 2023 to reduce security protections on the project and, in early 2024, introduced the changes that compiled the backdoor into the project.

Which Linux distributions are vulnerable to CVE-2024-3094?

Red Hat has advised to immediately stop any usage of Fedora Rawhide Instances, until deploying the update that reverts the affected version of XZ. Rawhide is the name given to any current development version of Fedora. Also, the incident affects the current pre-release Fedora Linux 41. Red Hat recommends discontinuing use of these platforms immediately until updates are released.

Linux Distribution NameDistribution versionRemediation instructions
Fedora RawhideFedora Rawhide updates
Fedora 41Fedora 41 updates
Fedora 40Fedora 40 updates
Debian5.5.1alpha-0.1Reverted XZ to use 5.4.5
OpenSUSETumbleweedOpenSUSE mitigation
Kali LinuxKali linux machines updated between March 26-30, 2024Kali Linux mitigation
AlpineEdge (active development)
Also, potentially, any released version of Alpine using Edge packages
Alpine Linux mitigation
Arch LinuxAny version with xz 5.6.0-1 or 5.6.1-1.Arch Linux mitigation
Linux distributions vulnerable to CVE 2024-3094

Fedora Linux 40 could be affected, depending on the time of system update, however, Red Hat states that there are no indications that the backdoor is present in this version at the moment.

Which Linux distributions are NOT affected?

The following Linux distributions are not affected by CVE-2024-3094:

For distributions listed as neither affected nor not affected, look for the presence of affected versions of XZ Utils, check security bulletins & documentation, and contact the distribution’s maintainers if necessary.

How to mitigate CVE-2024-3094

Currently there is no fix for the affected packages. Therefore, it is recommended to revert all the affected packages to use the 5.4.x versions of XZ Utils (5.4.6 Stable is the latest uncompromised version) and to discontinue use of platforms that do not currently have a stable version available.

If you had a system that was vulnerable to CVE-2024-3094

Any system that had affected packages installed should be treated as a potential security incident and investigated to determine if the backdoor was used. At minimum, we recommend:

  • Check for any sensitive information or sensitive keys on the machine
  • Rotate any credentials found on the machine or related to the machine
  • Review all the assets that are within the blast radius of the affected machine

Orca warns that it has found 9 devices that are affected by CVE-2024-3094

Further resources

Below we have listed further resources that can help with remediation and investigations:

Orca Security can help

To see how Orca can help you discover any affected resources in your cloud environments on AWS, Azure, Google Cloud, Oracle Cloud, and Alibaba Cloud, as well as mitigate and investigate any vulnerabilities, schedule a 1:1 demo with one of our experts.