Backdoor Discovered in xz/liblzma Compression Library
A sophisticated backdoor was uncovered in recent versions of the widely-used xz/liblzma compression library, potentially compromising any Linux system using certain distributions' OpenSSH builds. The malicious code was introduced through a subtle build system compromise by a trusted contributor.
š
[2024-04-27] Check back for more updates as this situation evolves
Impacted systems
- Linux systems running OpenSSH server built with backdoored
xz/liblzmalibrary - Primarily affects distributions that patch OpenSSH to link against
libsystemd, which pulls inliblzma - Known affected distros: certain Debian, Fedora, OpenSUSE builds; full impact still being assessed
- Specific affected versions:
xz5.6.0, 5.6.1; older versions also being audited - macOS systems that installed
xzvia Homebrew may be using affected versions, but the backdoor appears to have specifically targeted Linux on x86-64; upgrading will now downgrade to a "safe" version
How it happened
- Jia Tan, an
xzproject maintainer since 2022, made malicious changes disguised as fixes - Jia hid backdoor code in build system files and binary test data
- The backdoor injected code into an OpenSSH auth process, potentially enabling remote code execution
- It was discovered after the changes impacted SSH performance, sparking an audit
Current state
- Linux distros reverted to pre-compromise
xzversions - Full audit of
xzcodebase and contributor's other work underway - OpenSSH servers built with affected libs should be considered compromised
- GitHub suspended Jia Tan's account
- XZ Utils code moved back to tukaani.org
- Lasse Collin has provided a brief update on the situation
Open questions
- Whether older
xzversions also contain hidden vulnerabilities - If contributor compromised other projects they worked on (e.g.
libarchive) - Identity and motivations of threat actor(s)
- Potential involvement or victimhood of the original
xzmaintainer, Lasse Collin
References
- https://tukaani.org/xz-backdoor/
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
- https://github.com/tukaani-project/xz/commit/6e636819e8f070330d835fce46289a3ff72a7b89
- https://news.ycombinator.com/item?id=39865810
- https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Member discussion