Site icon DebugPoint NEWS

Backdoor Found in xz/liblzma Library, Exposing ssh

The popular xz library is compromised, opens doors to unauthorized SSH access.

A significant security vulnerability has been discovered in the XZ Utils package, which includes the liblzma library and utilities for working with compressed data in the “.xz” format. A backdoor, identified as CVE-2024-3094, has been found in the liblzma library, allowing interception and modification of data processed by applications associated with the liblzma library.

The primary target of the backdoor is the OpenSSH server, which, in some Linux distributions, is bundled with the libsystemd library, which in turn uses liblzma. Linking sshd with a vulnerable library allows attackers to gain access to the SSH server without authentication.

The backdoor was present in the official releases of xz 5.6.0 and 5.6.1, published on February 24 and March 9, and has been found in various distributions and repositories. This incldues Gentoo, Arch Linux, Debian sid/unstable, Fedora Rawhide and 40-beta, openSUSE factory and tumbleweed, LibreELEC, Alpine edge, Solus, CRUX, Cygwin, MSYS2 mingw, HP-UX, Homebrew, KaOS, NixOS unstable, OpenIndiana, Parabola, PCLinuxOS, OpenMandriva cooker and rolling, pkgsrc current, Slackware current, Manjaro, and Void Linux.

xz package in Fedora 39 (likely vulnerable)

Users of the xz 5.6.0 and 5.6.1 releases are advised to urgently rollback to at least version 5.4.6, but preferably to 5.4.1, as the last release published by the previous maintainer.

The backdoor only affects x86_64 systems based on the Linux kernel and the Glibc C library, which bundles sshd with libsystemd to support the sd_notify mechanism.

The backdoor activation code was hidden in m4 macros from the build-to-host.m4 file used by the automake toolkit when building. The backdoor-activating m4 macros were included in the release tarballs, but were not in the Git repository (they were added to .gitignore).

However, the malicious test archives were present in the repository, indicating that the person who implemented the backdoor had access to both the repository and the release generation processes.

The backdoor included protection from detection and did not manifest itself when the environment variables LANG and TERM were set (i.e., when the process was launched in the terminal) and the environment variables LD_DEBUG and LD_PROFILE were not set, but was activated only when the executable file /usr/sbin/sshd was executed. The backdoor also had a means of detecting execution in debug environments.

The attackers managed to gain access to the infrastructure of the xz project, and the introduction of the backdoor was carried out purposefully by one of the active developers of the xz project. The alleged author of the backdoor, Jia Tan, participated in the development of xz, had the status of “co-maintainer” for the last two years, impacting releases starting with xz 5.4.2.

Users are advised to update to the 5.4.1 version of the xz package and to be vigilant for any suspicious activity on their systems. Additionally, it is recommended to monitor system logs and network traffic for any unusual behavior.

As a precautionary measure, GitHub has blocked access to xz-related repositories, including xz, xz-java, and xz-embedded, while the project’s official website,, has also been rendered inaccessible.

More information:

Via Openwall mailing list

Recent articles from

Exit mobile version