Skip to content

CVE-2024-3094: XZ Utils Backdoor Threatens Linux Systems

A look at the recently discovered backdoor hiding in the open source XZ Utils compression service

Emerging Issue

A malicious backdoor was recently discovered in a component of the open-source XZ Utils tool, posing a threat to some Linux systems. The vulnerability is currently being tracked as CVE-2024-3094.

Most enterprise environments and applications are safe from CVE-2024-3094. However, systems that update frequently or those in test or development environments may potentially be at risk.

Read ahead to learn more about CVE-2024-3094 including which systems are vulnerable and recommended mitigation actions.

What is CVE-2024-3094, the XZ Utils backdoor?

CVE-2024-3094 is the vulnerability identifier assigned to a malicious backdoor that was discovered in version 5.6.0 and 5.6.1 of XZ Utils, a data compression service that can be found in most Linux distributions. According to CISA, the malicious code could potentially grant unauthorized access to the affected systems.

Microsoft software engineer and PostgreSQL developer Andres Freund located the vulnerability while investigating SSH performance issues in Debian. Freund discovered an intentional backdoor in versions 5.6.0 and 5.6.1, respectively released in February and March.

CVE-2024-3094 currently has a critical severity rating in the National Vulnerability Database, with a CVSS score of 10.0. The vulnerability has been confirmed in several rolling and unstable releases, and the backdoor is known to target Debian or Red Hat-based systems meeting certain criteria, including:

  • Fedora Rawhide
  • OpenSUSE Tumbleweed (rolling releases)
  • Debian 5.51alpha-0.1
  • Kali Linux (updated between March 26-29, 2024)

As Tanium explains in a help article on CVE-2024-3094, these are mostly all alpha/ rolling releases as opposed to stable, production-grade versions. It’s possible that other repositories may be impacted.

In its latest update, Red Hat states that the Fedora 40 Linux builds “have not been shown to be compromised.” However, Fedora Linux 40 beta contains two affected versions of XZ libraries including “xz-libs-5.6.0-1.fc40.x86_64.rpm” and “xz-libs-5.6.0-2.fc40.x86_64.rpm.”

“We believe the malicious code injection did not take effect in these builds,” says Red Hat. “However, Fedora Linux 40 users should still downgrade to a 5.4 build to be safe. An update that reverts xz to 5.4.x has recently been published and is becoming available to Fedora Linux 40 users through the normal update system. Concerned users can force the update by following the instructions,” on their website.

Red Hat also reports that the malicious injection is obfuscated and included in the full download package, with the Git distribution lacking the M4 macro that triggers the build of the malicious code.

“The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present,” Red Hat continues. “The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.”

Recommended actions for CVE-2024-3094

CISA recommends users and developers downgrade XZ Utils to an uncompromised version such as XZ Utils 5.4.6.

Neowin also advises running the “xz –version” command in SSH to verify if a system has vulnerable software.

For companies that are unable to downgrade XZ tools to a non-vulnerable version, Tanium recommends disabling public facing SSH. Businesses should also consider disabling ssh on impacted endpoints, while exercising caution to avoid impacting system functionality.

How Tanium can help mitigate risk for the XZ Utils backdoor

As this vulnerability demonstrates, threat actors are increasingly targeting open-source components to launch complex attacks. Now more than ever, companies require deep visibility into the software supply chain to prevent attacks from impacting operations.

Tanium provides a full suite of tools to proactively detect and mitigate vulnerabilities like CVE-2024-3094.

  • Tanium Guardian is an information feed in the Tanium XEM platform, offering real-time vulnerability alerts and remediation actions — allowing security teams to respond quickly and effectively to threats.
  • Tanium Software Bill of Materials (SBOM) allows Tanium customers to immediately identify vulnerabilities in the software supply chain. SBOM provides real-time visibility into environments, improving endpoint risk management.
  • Tanium Comply automatically identifies vulnerability and compliance exposures across distributed infrastructures, providing data to eliminate security gaps.

To discover similar vulnerabilities to CVE-2024-3094, visit our Emerging Issues Blog.

Tanium Staff

Tanium’s village of experts co-writes as Tanium Staff, sharing their lens on security, IT operations, and other relevant topics across the business and cybersphere.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.

SUBSCRIBE NOW