XZ Utils backdoor
Patched software backdoor
From Wikipedia, the free encyclopedia
On 29 March 2024, a malicious backdoor was discovered in the compression software XZ Utils. The backdoor gives an attacker who possesses a specific Ed448 private key[4] the ability to remotely execute code on an affected system through OpenSSH, a set of networking utilities.[5] The backdoor was discovered by software developer Andres Freund, who announced his findings.[6]
Previous XZ logo contributed by Jia Tan | |
| CVE identifier | CVE-2024-3094 |
|---|---|
| Date discovered | On or before 27 March 2024[1][2] |
| Date of public disclosure | 29 March 2024 |
| Date patched | 29 March 2024[a][3] |
| Discoverer | Andres Freund |
| Affected software | xz / liblzma library |
| Website | tukaani |
It was later discovered that the exploit was deliberately included into the software in February 2024 by a user going by the name of "Jia Tan", affecting both version 5.6.0 and 5.6.1 of the software.[7] The issue was given the CVE exploit number CVE-2024-3094 and was assigned a CVSS score of 10.0, the highest possible score, indicating that the exploit was extremely severe.[8]
While the software provided by XZ Utils is commonly present in most Linux distributions, at the time of discovery the affected versions had not yet been widely deployed to production systems, but was present in development versions of major distributions.[9] A patch for this backdoor was released on 29 May 2024, with version number 5.6.2.[10]
Background
Microsoft employee and developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid, a Linux distribution.[11] Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind, a memory debugging tool.[12] He reported his finding to Openwall Project's open source security mailing list,[13] which brought it to the attention of various software vendors.[12] The attacker made efforts to obfuscate the code,[14] as the backdoor consists of multiple stages that act together.[5] Once the compromised version is incorporated into the operating system, it alters the behavior of OpenSSH's SSH server daemon by abusing systemd,[b] allowing the attacker to gain administrator access.[5][12] According to an analysis by Red Hat, the backdoor can allow a malicious actor to gain full access to a system remotely.[15]
A subsequent investigation found that the campaign to insert the backdoor into the XZ Utils project was a culmination of over two years of effort, starting in 2021, by a user going by the name "Jia Tan" to gain access to a position of trust within the project via sock puppetry.[16] This allowed them to introduce the exploit into versions 5.6.0 and 5.6.1.[17] Some of the suspected sock puppets include accounts with usernames like "Jigar Kumar", "krygorin4545", and "misoeater91". It is suspected that the names are pseudonyms chosen by the participants of the campaign. Neither have any sort of visible public presence in software development beyond the short few years of the campaign.[18][19][20]
The backdoor was notable for its level of sophistication and for the fact that the perpetrator practiced a high level of operational security for a long period of time while working to attain a position of trust. American security researcher Dave Aitel has suggested that it fits the pattern attributable to APT29, an advanced persistent threat actor believed to be working on behalf of the Russian Foreign Intelligence Service (SVR).[4] Journalist Thomas Claburn suggested that it could be any state actor or a non-state actor with considerable resources.[21]
Mechanism
The malicious code is known to be in 5.6.0 and 5.6.1 releases of the XZ Utils software package. The exploit remains dormant unless a specific third-party patch of OpenSSH is used. The malicious mechanism consists of two compressed files that contain the malicious binary code. These files are available in the Git repository containing the source code, but remain dormant unless extracted and injected into the program.[22] The code then replaces an existing code function in OpenSSH with a malicious version. OpenSSH normally does not load liblzma, a code library related to XZ Utils, but a common third-party patch used by several Linux distributions causes it to load the library libsystemd, which in turn loads liblzma.[22] A modified version of build-to-host.m4 (an m4 macro file) was included in the release uploaded on GitHub, which extracts a script that performs the actual injection into liblzma. This modified file was not present in the git repository; it was only available from tar files released by the maintainer separate from git.[22] The script appears to perform the injection only when the system is being built on an x86-64 Linux system that uses glibc and GCC and is being built via dpkg or rpm.[22]
Response
Remediation
The US federal Cybersecurity and Infrastructure Security Agency issued a security advisory recommending that the affected devices should roll back to a previous uncompromised version.[23] Linux software vendors, including Red Hat, SUSE, and Debian, reverted the affected packages to older versions.[15][24][25] GitHub temporarily disabled the mirrors for the project's repository. GitLab determined their default systems did not use the compromised versions.[26]
Canonical postponed the beta release of Ubuntu 24.04 LTS and its flavours by a week and opted for a complete binary rebuild of all the distribution's packages.[27] Although the stable version of Ubuntu was not affected, upstream versions were. This precautionary measure was taken because Canonical could not guarantee by the original release deadline that the discovered backdoor did not affect additional packages during compilation.[28]
After regaining access to GitHub and removing all forwarding to "Jia Tan", version 5.6.2 was released on 29 May 2024, which patches the backdoor.[10] A write-up was also published by Lasse Collin, the maintainer of the project,[12] which details the changes in code over time that allowed the exploit to be added to the software.[29]
In August 2025, Binarly researchers found several Debian Docker images on Docker Hub that still have the XZ Utils backdoor.[30][31][32] The Debian development team declined to remove the affected images, stating that they were left as historical artifacts, as they are development builds that should not be used on real systems in place of newer, clean container versions.[31][30]
Broader response
Following the incident, the Open Source Security Foundation and OpenJS Foundation issued a joint warning that the XZ Utils backdoor "may not be an isolated incident", reporting that similar social engineering attempts had targeted JavaScript projects hosted by OpenJS.[33] The foundations warned maintainers to watch for "friendly yet aggressive and persistent pursuit" by unknown community members seeking maintainer status.[34]
Computer scientist Alex Stamos opined that "this could have been the most widespread and effective backdoor ever planted in any software product", noting that had the backdoor remained undetected, it would have "given its creators a master key to any of the hundreds of millions of computers around the world that run SSH".[35] In addition, the incident also started a discussion regarding the viability of having critical pieces of cyberinfrastructure depend on unpaid volunteers.[17]
Notes
- The vulnerability was effectively patched within hours of disclosure by reverting to a previous version known to be safe.
- systemd is an init system, meaning it is responsible for starting a Linux device and some administrative tasks.
