Researchers find malicious code in versions of the compression tool XZ Utils that were incorporated into Linux distributions from Red Hat, Debian, and others
Malicious code planted in xz Utils has been circulating for more than a month. — Researchers have found a malicious backdoor …
Ars Technica Dan Goodin
Related Coverage
- Everything I Know About the Xz Backdoor Evan Boehs
- Urgent security alert for Fedora Linux 40 and Fedora Rawhide users Red Hat
- backdoor in upstream xz/liblzma leading to ssh server compromise oss-security · Andres Freund
- Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 Cybersecurity and Infrastructure Security Agency
- Technologist vs spy: the xz backdoor debate lcamtuf's thing · Lcamtuf
- Debian Bug report logs - #1068024 Debian bug tracking system
- [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise LWN.net
- [SECURITY] [DSA 5649-1] xz-utils security update Debian Mailing Lists
- The xz package has been backdoored Arch Linux · David Runge
- openSUSE addresses supply chain attack against xz compression library openSUSE News · Marcus Meissner
- Malicious SSH backdoor sneaks into xz, Linux world's data compression library The Register · Thomas Claburn
- Red Hat warns of backdoor in XZ tools used by most Linux distros BleepingComputer · Sergiu Gatlan
- Malicious backdoor code embedded in popular Linux tool, CISA and Red Hat warn The Record · Jonathan Greig
- Urgent Alert: Stealthy Backdoor Discovered in XZ Compression Utilities Cyber Kendra · Vivek Gurung
- Security Alert: Potential SSH Backdoor Via Liblzma Hackaday · Jonathan Bennett
- xz-utils Github repository disabled as Linux maintainers assess blast radius of backdoor, earlier commits The Stack · Ed Targett
- Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094) Help Net Security · Zeljka Zorz
- xz-utils backdoor situation Gist
- Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros The Hacker News
- Backdoor in utility commonly used by Linux distros risks SSH compromise SC Media
- Are You Affected by the Backdoor in XZ Utils? Dark Reading
- Red Hat, CISA Warn of XZ Utils Backdoor Decipher · Lindsey O'Donnell-Welch
- Fedora frozen over remote hijack fears The Stack · Shaun Nichols
- Red Hat Exec: Linux Supply Chain Hack Was Caught Quickly CRN · Kyle Alspach
- Red Hat issues urgent alert for Fedora Linux users due to malicious code BetaNews · Brian Fagioli
- CISA, Red Hat Warn About Supply Chain Compromise Affecting Linux Distributions CRN · Kyle Alspach
- Backdoor in upstream xz/liblzma leading to SSH server compromise OSnews · Thom Holwerda
- Damn. That's the vulnerability in the supply chain right there: dependence on unpaid, unsupported, and perhaps outright exploited labor. The author went looking for someone to help and that's when Jia Tan appeared. Rather than any of the companies and/or Linux distros with commercial backing to step up on a library they all depend on so much. … @zyd@emacs.ch
- Another worrying example of how modern software includes way too much crap dependencies (often just to support irrelevant extra features). — In Linux, it is often systemd that is is the culprit. — “Openssh does not directly use xz-utils/liblzma. … @julf@social.secret-wg.org
- > Several people, including two Ars readers, reported that the multiple apps included in the HomeBrew package manager for macOS rely on the backdoored 5.6.1 version of xz Utils. Those apps, one user said, include: aom, cairo, ffmpeg, gcc, glib, harfbuzz, jpeg-xl, leptonica, libarchive … @colinmford@typo.social · Colin M. Ford
- The vulnerability may be present in Fedora 40 but it is not believed to be activated. Fedora 40 users are advised to use caution and update their systems soon when the rolled-back version is available, for more certainty. — Fedora 39 and 38 users are not impacted. (2/3) … @fedora@fosstodon.org
- Details on the #backdoor in #xz for users of #Fedora 40 and 41/rawhide: — https://www.redhat.com/... “'"PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES [...] — At this time the @fedora Linux 40 builds have not been shown to be compromised. … @knurd42@social.linux.pizza · Thorsten Leemhuis
- ⚠️ Investigation ongoing to determine the full impact of the ‘xz-utils’ 5.6.x compromise on Ubuntu. The compromised version has been removed from ‘noble-proposed’: https://discourse.ubuntu.com/ ... Looks like persona non grata also opened a bug report on #launchpad asking to have the compromised version synced from Debian unstable: https://bugs.launchpad.net/... … @nuccitheboss@mast.hpc.social · Jason Nucciarone
- https://www.redhat.com/... Ok so a recent version of an open source core utility (#xz utils) was backdoored with injected #malware as a long-term project, and managed to sneak into the “development branch” of Fedora at least. — Exec summary: Panic is not necessary on this part, unless you are quite special. … @byakushin@mementomori.social · Sini Ruohomaa
- Yikes - this looks like a pretty serious issue. Especially considering high chance that one of the maintainers of the package might have been behind the backdoor attempt. — I know quite a few #bioinformatics packages also need xz for compilation. Hate that we need to worry about stuff like this more from now on. … @naturepoker@genomic.social
- The supply chain attack on XZ Utils is fascinating. It does not appear to be a hack but rather an inside job. The malicious code has been added by someone who has been co-maintaining the project for the past two years. There is a considerable amount of (presumably) legitimate and non-trivial changes associated with that person. … @WPalant@infosec.exchange
- Regarding the #xz / #liblzma backdoor, quoting the original mail https://seclists.org/... “Debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.” — “it is likely the backdoor can only work on glibc based systems.” … @Haydar@social.tchncs.de
- Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian. — The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. … @dangoodin@infosec.exchange · Dan Goodin
- OK, given that the developer in question who added these malicious “fixes” had been working on the project for years and was one of the primary contributors ... what is the chance that there's a black market for open-source contributors selling their access to important projects like this? … @tsupasat@infosec.exchange
- This xz-utils compromise reminded me that I really should be figuring out how to move my digital keys onto hardware keyrings. — The problem there is trying to balance security, with living in an imperfect world. — (It's more secure to make unremovable keys on hardware devices... but then you can't have backups and you have a single point of failure that can break or be lost) @alienghic@octodon.social · Diane
- For those wondering, this toot is in reference to the supply chain compromise in xz utils. This is #upstream to (and used by) many Linux distros. — Because of some distributions patching openssh to support systemd notification, this could lead to sshd compromise... the backdoor seems to set the stage for total system compromise. … @avoidthehack@infosec.exchange
- Uhhh heads up everyone: — https://lwn.net/... > After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer: — > The upstream xz repository and the xz tarballs have been backdoored. … @rysiek@mstdn.social
- Unfortunately, openSUSE Tumbleweed already includes version 5.6.1 of liblzma. Hence, if you are using Tumbleweed, your system might already be affected. — https://www.openwall.com/... #openSUSE #Linux #liblzma #lzma #xz #ssh #infosec — [image] @uncanny_static@chaos.social · Hannah
- 🚨 Critical Alert: Potential Supply Chain Attack — A backdoor was obfuscated and found in the most recent version of XZ Utils 5.6.0 and 5.6.1 … Arwa Alomari
- A breakdown of the xz backdoor timeline with some interesting insights! — https://lnkd.in/... #cybersecurity #infosec #opensource #backdoor #malware #xz Jonah Burgess
- The ‘XZ Backdoor’ - malicious code has been injected into the xz compression utility starting from 5.6.0, 5.6.1 - possibly 𝐬𝐬 … Christian Walter
- Time to downgrade! — XZ/liblzma has been backdoored! And it impacts downstream projects! — As an example: Debian patch OpenSSH … Niel Nielsen
- Software supply chain compromise where a backdoor has been found in the latest XZ Utils data compression tools and libraries. — Its a perfect CVSS 10.0 score! … Matt Shelley
- 🚨 Urgent Alert: RedHat CVE-2024-3094 🚨 — On Fri, 29 Mar 2024, RedHat disclosed a critical security alert (https://lnkd.in … Neatsun Ziv
- Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian. … Adon Metcalfe
- (I am not an information #security expert, my brain just plays one when low on SSRIs) — Anyone who has “bleeding edge” (as in last month or two) … Owain Kenway
- Ouch. 👀 it seems that the upstream xz repository and the xz tarballs have been backdoored. — This is being tracked as CVE-2024-3094. Gianluca Varisco
- CVE-2024-3094 is the new hot one and it's extremely critical; however, impact should be limited as most normal linux distros are unaffected. … James Berthoty
- The upstream xz project has been backdoored by its main contributor. The backdoor was introduced in release 5.6.0 in February, and improved in release 5.6.1 in March. … Filippo Bonazzi
- Sadly, we got a quick “Friday Afternoon” emergency. Luckily, it isn't as bad as it could have been. — xz-utils 5.6 was backdoored [1][2]. … Dr. Johannes Ullrich
- Please note, the xz utils backdoor did not make it's way into RHEL, only development versions of Fedora. — Other distro's have been affected. … Magnus Glantz
- Supply chain attack strikes again, this time in a common Linux compression tool, xz Utils. This article is worth a read as it highlights the effort that goes into orchestrating these attacks. … Matthew Holland
- Hacker News — Very annoying - the apparent author of the backdoor was in communication … rwmj on Hacker News · rwmj
- Backdoor in upstream xz/liblzma leading to SSH server compromise Hacker News
- Backdoor found in widely used Linux utility breaks encrypted SSH connections Ars OpenForum
Discussion
-
9to5Linux
Marius Nestor
on x
Red Hat Warns Fedora Linux 40/41 and Rawhide Users About Critical Security Flaw
-
@pitrh@mastodon.social
Peter N. M. Hansteen
on mastodon
This is one of the best explanations of the xz matter I have seen so far: — https://lcamtuf.substack.com/ ... and it leads in with a quote to remember - — “This dependency existed not because of a deliberate design decisionby the developers of OpenSSH …
-
@JulianOliver@mastodon.social
Julian Oliver
on mastodon
XZ, an archiving utility in broad use across GNU/Linux distributions, has a backdoor in versions 5.6.0 and 5.6.1 that appears to fiddle with SSH auth and possibly offers an attacker RCE. Debian and Redhat have both released advisories. Thankfully RHEL and Debian GNU/Linux stabl…
-
@stuartl@mastodon.longlandclan.id.au
Stuart Longland
on mastodon
#Gentoo #GLSA regarding the #xz vulnerability affecting #Debian and #RedHat — https://security.gentoo.org/ ... Definitely downgrade xz-utils if you are running ≥ 5.6.0: even though this seems to be systemd-specific, it's not worth taking the risk. — Most users should already…
-
@hanno@mastodon.social
@hanno@mastodon.social
on mastodon
I have a story to tell that is relevant to the xz-utils thing that just happened. I'll probably write this up properly later, but I'm in pre-vacation mode so it may take a while . We have a problem with the way we develop and then distribute FOSS software, and both stories show…
-
@ak_hepcat@mastodon.akhepcat.com
@ak_hepcat@mastodon.akhepcat.com
on mastodon
lots of chatter re: xz, libarchive, ssh, and possibly other impacted software. — Ubuntu pushing updates if you were following “proposed”: — https://github.com/... “Now they are syncing 5.6.1+really5.4.5-1 to make sure you get safer 5.4, even if you installed 5.6 the days it …
-
@anthropy@mastodon.derg.nz
@anthropy@mastodon.derg.nz
on mastodon
XZ SSH backdoor vulnerability: this actually looks pretty bad. either the involved long time dev was thoroughly compromised, or they got bribed or forced into doing this somehow, as they provided comments and arguments for all their (malicious) additions. — https://github.com/.…
-
@kalilinux
Kali Linux
on x
The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today.
-
@eigenrobot
@eigenrobot
on x
if you haven't seen this its utterly bananas the scale of potential pwnage seems almost unfathomable to me idk how you even start going about fixing the vulnerability that led to this
-
@matiasgoldberg
Matías N. Goldberg
on x
I'm still in shock the xz backdoor happened. But even more surprising is that it got caught because a dev noticed login in to his machine via ssh was taking 0.8s instead of the usual 0.3s and decided to look into it. And he happened to be familiar with the Valgrind situation
-
@kdrag0n
Danny Lin
on x
The xz backdoor is, well, setting a fire under the entire Linux ecosystem... but I'm also so impressed with how it was set up: 2-yr maintainership, oss-fuzz, etc. ...and who knows how long it would've stayed undetected if the injected sshd code ran faster (<600ms) Highlights:
-
@badsectorlabs
@badsectorlabs
on x
“Jia Tan's” commits to xz started 2022-02-06. Perhaps the account was compromised, but this looks like trust building with the maintainers before the backdoor commits.
-
@cisacyber
@cisacyber
on x
We're responding to CVE-2024-3094, a reported supply chain compromise affecting XZ Utils versions 5.6.0 and 5.6.1. XZ Utils may be present in Linux distributions. See our additional guidance at https://cisa.gov/....
-
@craighrowland
Craig Rowland
on x
FWIW, building trust in a project and then inserting malicious code after some time is exactly what I'd do if I was going for a supply chain attack.
-
@hackerfantastic
@hackerfantastic
on x
This “xz” and “liblzma” backdoor story is increasingly looking like a sophisticated effort to target FOSS supply chains, getting this backdoor into Debian and Kali etc. It's also not the only library the backdoor author has added code too, libarchive and others may have issues.
-
@malwarejake
Jake Williams
on x
So there's a supply chain compromise in the xz library that is backdooring some Linux SSH installations. Goodbye long weekend... https://www.openwall.com/...
-
@badsectorlabs
@badsectorlabs
on x
The xz package tar's were backdoored. Only discovered because the backdoor slowed down sshd enough for Andres Freund to investigate. Consider the case where the backdoor didn't cause perf issues... How long would this have gone undetected? https://www.openwall.com/...
-
@zer0pwn
Dominik Penner
on x
wild stuff re: xz/liblzma backdoor https://news.ycombinator.com/ ... [image]
-
@bl4sty
@bl4sty
on x
nothing to see here, just properly documenting the fixed defects in the backdoor code 😂 [image]
-
@lukolejnik
@lukolejnik
on x
Upstream xz repository and the xz tarballs have been backdoored. Very serious security risk because xz is used for compression ... very widely. It makes a ssh server backdoored. This is very serious. Happens...? https://www.openwall.com/.... Backdoor execution: https://www.openwa…
-
@dcuthbert
Daniel Cuthbert
on x
As far as supply chain backdoors go, this is Prada level of design and style.
-
@jgreigj
Jon Greig
on x
Of course a vulnerability like this drops on Good Friday CISA and Red Hat warned Linux users of CVE-2024-3094 — affecting #XZ Utils https://therecord.media/...
-
@iancoldwater
Ian Coldwater
on x
This upstream supply chain security attack is the kind of nightmare scenario that has gotten people describing it called hysterical for years. It's real. Sleep well. backdoor in upstream xz/liblzma leading to ssh server compromise https://www.openwall.com/...
-
@vhmth
Vinay Hiremath
on x
@zer0pwn It's fucking crazy. This part was my favorite. “I'm not really a security researcher or reverse engineer but here's a complete breakdown of exactly how the behavior changes.” You only get this kind of humility when you're working with absolute wizards on a consistent bas…
-
@thegrugq
@thegrugq
on x
On the .xz backdoor. It is hard to see how the developer Jia Tan is innocent. The backdoor was added in 5.6.0 by his account. He contacted Fedora to push them to move to 5.6.0. There was a problem with valgrind, they worked with hi to resolve it. He commits the fix in 5.6.1.
-
@birchb0y
Alden
on x
Interesting note on the #xz backdoor: If you plot Jai Tan's commit history over time, the cluster of offending commits occurs at an unusual time compared to rest of their activity. If the dev was pwned, it could be a sign that the threat actor contributed in their own timezone [i…
-
@bl4sty
@bl4sty
on x
you gotta appreciate the way they shipped the backdoored object file. added some “test” data to the source tree that gets unxz'd and (dd) carved in a specific way, that is fed into a deobfuscator written in.. awk script and the result gets unxz'd again [image]
-
@vxunderground
@vxunderground
on x
Happy Supply Chain Attack Friday.
-
@haxrob
@haxrob
on x
Andres Freund, the principal software engineer at Microsoft who discovered the xz backdoor really does deserve a big pat on the back. 👏 The outcome could have been much, much worse.
-
@bcrypt
Yan
on x
fyi homebrew had the backdoored version of xz utils; updating now will downgrade it https://duo.com/... [image]
-
@kaylintrychon
Kaylin Trychon
on x
Chainguard Images are built to reduce the number of components inside, only using what is required to build or run an application. Because of these minimal and intentional design decisions, @chainguard_dev Images do not include SSH or liblzma by default.
-
r/technology
r
on reddit
Backdoor found in widely used Linux utility breaks encrypted SSH connections
-
r/cybersecurity
r
on reddit
Backdoor found in widely used Linux utility breaks encrypted SSH connections
-
r/openSUSE
r
on reddit
openSUSE addresses supply chain attack against xz compression library
-
r/linux
r
on reddit
openSUSE addresses supply chain attack against xz compression library
-
r/hacking
r
on reddit
oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
-
r/archlinux
r
on reddit
Arch Linux - News: The xz package has been backdoored
-
r/linuxsucks
r
on reddit
“PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity.”