VOOZH about

URL: https://en.wikipedia.org/wiki/XZ_Utils_backdoor

⇱ XZ Utils backdoor - Wikipedia

Jump to content
Patched software backdoor
XZ Utils backdoor
👁 Image
Previous XZ logo contributed by Jia Tan
CVE identifierCVE-2024-3094
Date discoveredOn or before 27 March 2024; 2 years ago (2024-03-27)[1][2]
Date of public disclosure29 March 2024;
2 years ago (2024-03-29)
Date patched29 March 2024;
2 years ago (2024-03-29)[a][3]
DiscovererAndres Freund
Affected softwarexz / liblzma library
Websitetukaani.org/xz-backdoor/

On 29 March 2024, a malicious backdoor was discovered in the compression software XZ Utils. The backdoor gives an attacker who possesses a specific Ed448 private key[4] the ability to remotely execute code on an affected system through OpenSSH, a set of networking utilities.[5] The backdoor was discovered by software developer Andres Freund.[6]

It was later discovered that the exploit was deliberately included into the software in February 2024 by a user going by the name of "Jia Tan", affecting both version 5.6.0 and 5.6.1.[7] The issue was given the CVE exploit number CVE-2024-3094 and was assigned a CVSS score of 10.0, the highest possible score, indicating that the exploit was extremely severe.[8]

While XZ Utils is commonly present in most Linux distributions, at the time of discovery the affected versions had not yet been widely deployed to production systems, but were present in development versions of major distributions, resulting in distribution maintainers rebuilding their packages to mitigate the exploit.[9][10][11] A patch for this backdoor was released on 29 May 2024, with version number 5.6.2.[12] The exploit was noted for its high level of obfuscation,[13] being the result of a campaign lasting years.[14]

Background

[edit]

Microsoft employee and developer Andres Freund reported the backdoor after investigating a performance regression in a development version of Debian, a Linux distribution.[15] Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind, a memory debugging tool.[7] He reported his finding to Openwall Project's open source security mailing list,[16] which brought it to the attention of various software vendors.[7] Once the compromised version is incorporated into the operating system, it alters the behavior of OpenSSH's SSH server daemon by abusing systemd,[b] allowing an attacker with a specific Ed448 private key[4] to gain administrator access.[5][7] According to an analysis by Red Hat, the backdoor can allow a malicious actor to gain full access to a system remotely.[17]

The attacker made efforts to obfuscate the code,[13] as the exploit delivery mechanism consists of multiple stages that act together.[5] A subsequent investigation found that the campaign to insert the backdoor into the XZ Utils project was a culmination of over two years of effort, starting in 2021, by a user going by the name "Jia Tan". They used sock puppetry in a pressure campaign against the original maintainer of XZ Utils, eventually being given maintainer permissions on the project. This allowed them to introduce the exploit into version 5.6.0; due to it not being discovered at the time, it also made its way into version 5.6.1.[14] Some of the suspected sock puppets include accounts with usernames like "Jigar Kumar", "krygorin4545", and "misoeater91". It is suspected that the names are pseudonyms chosen by the participants of the campaign. None have any sort of visible public presence in software development beyond the years of the campaign.[18][19]

The backdoor was notable for its level of sophistication and the perpetrator's high level of operational security for a long period of time while working to attain a position of trust. American security researcher Dave Aitel has suggested that it fits the pattern attributable to APT29, an advanced persistent threat actor believed to be working on behalf of the Russian Foreign Intelligence Service (SVR).[4] Journalist Thomas Claburn suggested that it could be any state actor or a non-state actor with considerable resources.[20]

Mechanism

[edit]

The malicious code is known to be in versions 5.6.0 and 5.6.1 of the XZ Utils software package. The malicious mechanism consists of two compressed files that contain the malicious binary code. These files are available in the Git repository, but remain dormant unless extracted and injected into the program.[21] The code then replaces an existing function in OpenSSH with a malicious version. Under normal conditions, OpenSSH does not load code related to XZ Utils, as the programs are not related. However, a patch used by several Linux distributions causes OpenSSH to interface with XZ Utils by using Systemd.[21] A modified version of build-to-host.m4, a script used in the program's build process, was included in the release uploaded on GitHub.[22] The modified script extracts another, resulting in code being injected into the program. This modified file was not present in the git repository; it was only available from tar files released by "Jia Tan" separately from Git.[21] The script appears to perform the injection only when the system is being built on an x86-64 Linux system that uses glibc and GCC and is being built via dpkg or rpm.[21]

Response

[edit]

Remediation

[edit]

The US federal Cybersecurity and Infrastructure Security Agency issued a security advisory recommending that affected devices should roll back to a previous uncompromised version.[23] Linux software vendors, including Red Hat, SUSE, and Debian, reverted the affected packages to older versions.[17][10][24] GitHub temporarily disabled the mirrors for the project's repository.[12]

Canonical postponed the beta release of Ubuntu 24.04 LTS and its flavours by a week and opted for a complete binary rebuild of all the distribution's packages.[11] Although the stable version of Ubuntu was not affected, upstream versions were. This precautionary measure was taken because Canonical could not guarantee by the original release deadline that the discovered backdoor did not affect additional packages during compilation.[25]

After regaining access to GitHub and removing all forwarding to "Jia Tan", maintainer Lasse Collin released version 5.6.2 on 29 May 2024, patching the backdoor.[12] Collin also published a writeup detailing the changes in code over time that allowed the exploit to be added to the software.[7][26]

In August 2025, researchers at security company Binarly found several Debian Docker images on Docker Hub that still have the XZ Utils backdoor.[27][28][29] The Debian development team declined to remove the affected images, stating that they were left as historical artifacts, as they are development builds that should not be used on real systems in place of newer, clean container versions.[28][27]

Broader response

[edit]

Following the incident, the Open Source Security Foundation and OpenJS Foundation issued a joint warning that the XZ Utils backdoor "may not be an isolated incident", reporting that similar social engineering attempts had targeted JavaScript projects hosted by OpenJS.[30] The foundations warned maintainers to watch for "friendly yet aggressive and persistent pursuit" by unknown community members seeking maintainer status.[31]

Computer scientist Alex Stamos opined that "this could have been the most widespread and effective backdoor ever planted in any software product", noting that had the backdoor remained undetected, it would have "given its creators a master key to any of the hundreds of millions of computers around the world that run SSH".[32] In addition, the incident also started a discussion regarding the viability of having critical pieces of cyberinfrastructure depend on unpaid volunteers.[14]

Notes

[edit]
  1. ^ The vulnerability was effectively patched within hours of disclosure by reverting to a previous version known to be safe.
  2. ^ systemd is an init system, meaning it is responsible for starting a Linux device and some administrative tasks.

References

[edit]
  1. ^ Freire, Rodrigo (30 April 2024). "Understanding Red Hat's response to the XZ security incident". Red Hat. Retrieved 14 August 2025.
  2. ^ Oxide and Friends 4/8/2024 -- Discovering the XZ Backdoor with Andres Freund (video). Oxide Computer Company. 14 August 2025 – via YouTube.
  3. ^ Collin, Lasse (9 April 2024). "Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094)". GitHub. Retrieved 19 June 2024.
  4. ^ a b c Greenberg, Andy (3 April 2024). "The Mystery of 'Jia Tan,' the XZ Backdoor Mastermind". Wired. Archived from the original on 3 April 2024. Retrieved 3 April 2024.
  5. ^ a b c Claburn, Thomas (29 March 2024). "Malicious backdoor spotted in Linux compression library xz". The Register. Archived from the original on 1 April 2024. Retrieved 14 August 2025.
  6. ^ Corbet, Jonathan. "A backdoor in xz". LWN.net. Archived from the original on 1 April 2024. Retrieved 2 April 2024.
  7. ^ a b c d e Goodin, Dan (1 April 2024). "What we know about the xz Utils backdoor that almost infected the world". Ars Technica. Archived from the original on 1 April 2024. Retrieved 1 April 2024.
  8. ^ Gatlan, Sergiu (29 March 2024). "Red Hat warns of backdoor in XZ tools used by most Linux distros". Bleeping Computer. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  9. ^ "CVE-2024-3094". National Vulnerability Database. NIST. Archived from the original on 2 April 2024. Retrieved 2 April 2024.
  10. ^ a b Meissner, Marcus (27 December 2024). "SUSE addresses supply chain attack against xz compression library". SUSE Communities. SUSE. Archived from the original on 29 March 2024. Retrieved 14 August 2025.
  11. ^ a b Zemczak, Łukasz (3 April 2024). "Noble Numbat Beta delayed (xz/liblzma security update)". Ubuntu Community Hub. Archived from the original on 10 April 2024. Retrieved 10 April 2024.
  12. ^ a b c Collin, Lasse. "XZ Utils backdoor". Tukaani. Retrieved 16 May 2026.
  13. ^ a b O'Donnell-Welch, Lindsey (29 March 2024). "Red Hat, CISA Warn of XZ Utils Backdoor". Decipher. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  14. ^ a b c Khalid, Amrita (2 April 2024). "How one volunteer stopped a backdoor from exposing Linux systems worldwide". The Verge. Retrieved 14 May 2026.
  15. ^ Zorz, Zeljka (29 March 2024). "Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094)". Help Net Security. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  16. ^ Freund, Andres (29 March 2024). "oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise". Openwall Project. Archived from the original on 1 April 2024. Retrieved 14 August 2025.
  17. ^ a b "Urgent security alert for Fedora 41 and Fedora Rawhide users". Red Hat. 29 March 2024. Archived from the original on 29 March 2024. Retrieved 14 August 2025.
  18. ^ "Timeline summary of the backdoor attack on XZ Utils". gigazine.net. 3 April 2024. Archived from the original on 10 April 2024. Retrieved 14 August 2025.
  19. ^ Cox, Russ (1 April 2024). "Timeline of the xz open source attack". research.swtch.com. Retrieved 14 August 2025.
  20. ^ Claburn, Thomas. "Malicious xz backdoor reveals fragility of open source". The Register. Archived from the original on 8 April 2024. Retrieved 8 April 2024.
  21. ^ a b c d James, Sam. "xz-utils backdoor situation (CVE-2024-3094)". GitHub. Archived from the original on 2 April 2024. Retrieved 2 April 2024.
  22. ^ "XZ Utils Backdoor — Everything You Need to Know, and What You Can Do". Akamai. 1 April 2024. Archived from the original on 12 April 2026. Retrieved 1 June 2026.
  23. ^ "Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094". Cybersecurity and Infrastructure Security Agency. 29 March 2024. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  24. ^ Salvatore, Bonaccorso (29 March 2024). "[SECURITY] [DSA 5649-1] xz-utils security update". debian-security-announce (Mailing list). Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  25. ^ Sneddon, Joey (3 April 2024). "Ubuntu 24.04 Beta Delayed Due to Security Issue". OMG! Ubuntu. Archived from the original on 8 April 2024. Retrieved 10 April 2024.
  26. ^ Collin, Lasse. "XZ Utils review notes". Tukaani. Retrieved 16 May 2026.
  27. ^ a b Rudra, Sourav (14 August 2025). "Security Researchers Find XZ Utils Backdoored Debian Images on Docker Hub". news.itsfoss.com. Retrieved 14 August 2025.
  28. ^ a b Haruyama, Takahiro (6 August 2025). "Docker Hub Debian image contains CVE-2024-3094 backdoor". GitHub. Retrieved 14 August 2025.
  29. ^ "Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images". binarly.io. 12 August 2025. Retrieved 14 August 2025.
  30. ^ Arasaratnam, Omkhar; Bender Ginn, Robin (15 April 2024). "Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects". Open Source Security Foundation. Retrieved 1 January 2026.
  31. ^ Kovacs, Eduard (15 April 2024). "Researchers stop 'credible takeover attempt' similar to XZ Utils backdoor incident". The Record. Retrieved 1 January 2026.
  32. ^ Roose, Kevin (3 April 2024). "Did One Guy Just Stop a Huge Cyberattack?". The New York Times. Archived from the original on 4 April 2024. Retrieved 4 April 2024.

External links

[edit]
Hacking in the 2020s
Major incidents
2020
2021
2022
2023
2024
2025
2026
Groups
Individuals
Major vulnerabilities
publicly disclosed
Malware
Categories:
Hidden categories: