Backdoor in xz/liblzma (CVE-2024-3094)

On March 29th, Andres Freund, a Postgres developer, working at Microsoft, identified a response time while authenticating to openSSH on a Debian Sid installation that was about 500 ms longer as usual. He investigated the behaviour and concluded that liblzma, part of the xz library, was compromised by a complex backdoor injected into distribution packages during build. The versions 5.6.0 and 5.6.1 of the library are impacted. Further investigations led to the discovery of an elaborated supply chain attack scenario. The maintainers team seems to have been infiltrated over a long period of time (several years) by malevolent actors.

The story of this backdoor deserves a deep analysis which is out of topic here, but it raises a lot of questions for open-source communities and all the IT sector.

What systems are impacted?

Since the vulnerability has been detected in a relatively short time, no major distribution has already integrated those versions of the XZ library.

Only the distributions with a very fast pace of software integration (Rolling releases, testing, so-called “unstable”) had integrated the corrupted version at detection time.

As an OVHcloud customers, what are the risks?

No Linux image provided by OVHcloud to customers for automated installation are impacted. So no customer should be vulnerable to this backdoor using images provided by OVHcloud.

In some corner cases, the backdoor might have been installed on your system:

  • If you installed a vulnerable distribution yourself, in the timespan where the compromission was not yet discovered, outside of the OVHcloud automated installation process (for instance, Linux distribution in “rolling release” mode)
  • If you activated edge repositories on your system (for instance, “experimental”, “unstable” or “testing” for Debian, “edge” for Alpine, “update-proposed” for Ubuntu)
  • If you installed a software that is  packaging the vulnerable version of the library
  • If you use an alternative package manager (for instance Homebrew)

The backdoor is quite complex, so even in such case, you might have deployed the corrupted version of the XZ library, without your system being actually vulnerable. Refer to your distribution/software security advisory page to get more information.

How can I check if I use a backdoored version of the library?

Check your active version of XZ library:

debian@lab:~$ strings `which xz` | grep "(XZ Utils)"
xz (XZ Utils) 5.2.5

Note: The command “xz -V” would provide a similar output. However, It is not a good practice to execute a binary that might be compromised.

Ensure the active version of XZ library is not part of the known vulnerable ones (5.6.0 and 5.6.1). If you have a compromised version of XZ, follow the security recommendations from your distribution. In some cases, a patch has been released to correct the vulnerability, in other cases, backporting to an older version of the library is recommended.

In any case apply the following recommendations:

  • Reduce the exposure of administration interfaces of your server, filter at network level what source IP is allowed to connect to SSH.
  • Perform regular backup of your data and system configurations, and regularly test your ability to rebuild your service from backups

External references:

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

https://lists.debian.org/debian-security-announce/2024/msg00057.html

https://news.opensuse.org/2024/03/29/xz-backdoor/

https://access.redhat.com/security/cve/CVE-2024-3094#cve-cvss-v3

https://archlinux.org/news/the-xz-package-has-been-backdoored/

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

https://gynvael.coldwind.pl/?lang=en&id=782

https://www.wiz.io/blog/cve-2024-3094-critical-rce-vulnerability-found-in-xz-utils

https://research.swtch.com/xz-timeline

CISO OVHcloud | + posts