Security Alert: liblzma/xz versions 5.6.0 and 5.6.1 [CVE-2024-3094]
Alberto Sola · 3/31/2024 · 2 minWhile catching up on the news, I stumbled upon the security alert CVE-2024-3094, a vulnerability that seems to endanger the sshd service through a backdoor under certain conditions.
It's still very fresh news, and the full extent of how this issue can impact systems is unknown until security experts provide us with more information.
I'll give you a summary of the news, what you need to check, how it happened, and leave you with some links for further reading.
TL;DR: security flaw in xz
XZ is a data compression format that is present in almost all Linux distributions, and even on MacOS if you use homebrew or any package manager.
A backdoor has been found that primarily affects versions 5.6.0 and 5.6.1, though its full scope is not yet known, and we'll have to stay alert. It seems to create a backdoor in the sshd service.
You should check if any of your systems use these versions, both on your computer and on your servers. In my case, I've avoided running the xz command and instead ran strings $(which xz) | grep "XZ Utils".
From what I've gathered, it seems to only activate under certain circumstances (amd64, glibc, sshd/systemd) and affects the sshd service, which appears to allow access via a payload.
I must stress that it's still early days, and we don't know the real impact until security experts analyze it, so we need to stay vigilant. Fortunately, it seems that this update hasn't reached many distributions, but some that did have already reverted it.
How it emerged
A Microsoft developer, while testing postgres, noticed that the ssh command occasionally gave errors on Debian and consumed more CPU than it should. This led him to run a profiler and find suspicions in the liblzma package, which is part of the xz utility. You can see the email thread here.
It appears that someone, through social engineering, managed to become a contributor to this project, and over several years gradually introduced changes leading up to this point. You can read the whole story about how this happened, very well told and compiled in this article.
Links of interest
I'm adding these two other links where you can read more detailed information about the problem:
Did you find this article useful? Subscribe to my newsletter and take the first step to launch IT products faster. You will receive exclusive tips that will bring you closer to your goals.