04/02/2024 | News release | Distributed by Public on 04/02/2024 06:51
On March 29th, Andres Freund, a Postgres developer, working at Microsoft, identified a response time while authenticating to openSSH on a Debian Sid installation that was about 500 ms longer as usual. He investigated the behaviour and concluded that liblzma, part of the xz library, was compromised by a complex backdoor injected into distribution packages during build. The versions 5.6.0 and 5.6.1 of the library are impacted. Further investigations led to the discovery of an elaborated supply chain attack scenario. The maintainers team seems to have been infiltrated over a long period of time (several years) by malevolent actors.
The story of this backdoor deserves a deep analysis which is out of topic here, but it raises a lot of questions for open-source communities and all the IT sector.
Since the vulnerability has been detected in a relatively short time, no major distribution has already integrated those versions of the XZ library.
Only the distributions with a very fast pace of software integration (Rolling releases, testing, so-called "unstable") had integrated the corrupt version at detection time.
Only the distributions with a very fast pace of software integration (Rolling release, testing) had integrated the corrupted version at detection time.
No Linux image provided by OVHcloud to customers for automated installation are impacted. So no customer should be vulnerable to this backdoor using images provided by OVHcloud.
In some corner cases, the backdoor might have been installed on your system:
The backdoor is quite complex, so even in such case, you might have deployed the corrupted version of the XZ library, without your system being actually vulnerable. Refer to your distribution/software security advisory page to get more information.
Check your active version of XZ library:
debian@lab:~$ strings `which xz` | grep "(XZ Utils)" xz (XZ Utils) 5.2.5
Note: The command "xz -V" would provide a similar output. However, It is not a good practice to execute a binary that might be compromised.
Ensure the active version of XZ library is not part of the known the vulnerable ones (5.6.0 and 5.6.1). If you have a compromised version of XZ, follow the security recommendations from your distribution. In some cases, a patch has been released to correct the vulnerability, in other cases, backporting to an older version of the library is recommended.
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://lists.debian.org/debian-security-announce/2024/msg00057.html
https://news.opensuse.org/2024/03/29/xz-backdoor/
https://access.redhat.com/security/cve/CVE-2024-3094#cve-cvss-v3
https://archlinux.org/news/the-xz-package-has-been-backdoored/
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://gynvael.coldwind.pl/?lang=en&id=782
https://www.wiz.io/blog/cve-2024-3094-critical-rce-vulnerability-found-in-xz-utils