The XZ Utils is a FOSS software suite that provides tools for data compression and decompression. It is commonly used due to its high compression ratio and efficiency. It also contains the liblzma library, which developers can integrate into their applications. XZ utils is widely used in the FOSS, especially in many Linux distributions hence, the vulnerability threatens the entire Linux ecosystem. As a result, Red Hat, Inc. has issued it a
CVSS Score of 10, the highest possible score for any vulnerability. Specifically, the backdoor:
- Can allow an attacker to access the system from anywhere.
- Doesn't require any privileges to exploit.
- Works silently without requiring user interaction.
- Can allow the attacker to change objects outside the affected component.
- Can affect the confidentiality, integrity, and availability of the entire system.
The Open source community and government agencies are monitoring the issue and will provide advice as investigations continue. So far it has been confirmed that testing, unstable, and experimental distros of
Fedora 41, Fedora Rawhide, and Debian contain the vulnerable XZ versions. It was also included in
Tumbleweed and MicroOS distros of openSUSE. Users of these Linux systems are advised to check the version of XZ Utils installed and immediately update their systems using the advisory provided by their distribution’s website.
Several artifacts of a stable release of
Arch Linux (NOT used in production systems) are also affected. These mirrors have been removed and users are advised to update to the latest version. In addition, a technical steering committee member for Homebrew confirmed that they downgraded the untrustworthy versions of XZ 5.6x.
Homebrew is an open-source package manager that
installs UNIX tools for macOS systems. Further information about
CVE-2024-3094 can be found on the following websites:
- National Institute of Standards and Technology’s National Vulnerability Database
- The US Cybersecurity and Infrastructure Security Agency
- Red Hat
- Kali Linux
- Openwall
- Arch Linux
- OpenSUSE
- Tenable gives a summary of the affected systems
On a more interesting note, I did some digging and here is what I have so far:
Andres is one of the leading contributors to the Postgres community. He was testing a Debian unstable release for possible portability problems with Postgres when he noticed a series of coincidences including a 500ms latency on many failed sshd processes using wrong usernames. He then discovered the liblzma package was the one draining the CPU. He also recalled seeing an odd complaint a few weeks before in automated testing of Postgres using a Linux tool called Valgrind. Upon further investigation, Adres realised that the XZ repository and the XZ tarballs had been backdoored.
What is concerning is that the compromise was not injected into released Debian packages but was introduced by a community maintainer of the XZ package through the source code uploaded to the GitHub repository. The Github commits were performed over several weeks by the account ‘
Jia Tan’ whose owner remains unknown. However, it was created in 2021 and made its first commit to the XZ repository on 2022/02/06. They have made changes to XZ between 2022 and 2024 and the most recent commit was on 2024/03/09.
Alone, these commits may not be suspicious, however, Jia Tan's changes are what caused the Valgrind errors in configurations that didn't meet the updated code’s expectations. Several conversations emerged in different open-source communities about what could be causing the valgrind errors and possible solutions. The persona Jia Tan participated in these conversations and claimed that the errors were due to versions of XZ earlier than 5.6x. They then contacted Fedora to push for an update of XZ to 5.6x versions in stable distributions of Linux and continued to push for this update in other open-source communities. There are also messages from other anonymous accounts pushing for the original XZ maintainer to add a new maintainer right after Jia Tan started helping with the project.
This high-interest vulnerability will spark conversations about the integrity of Free and Open Source Software, especially for critical libraries like XZ. I am keen to follow the discussion and will compile a timeline of the attack to update interested listeners.