TR-82 - backdoor discovered in xz-utils - CVE-2024-3094

TR-82 - backdoor discovered in xz-utils - CVE-2024-3094

Back to Publications and Presentations

  1. Detection
  2. Known affected distribution
  3. References
  4. Classification of this document
  5. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

On March 29th, 2024, a backdoor (CVE-2024-3094) was discovered in xz-utils by Andres Freund while debugging some performance issue on an sshd daemin. The xz-utils package is commonly used for compressing release tarballs, software packages, kernel images, initramfs images and many others. The xz-utils include the liblzma library used by various software including sshd which is one of the known technique to abuse the backdoor.

Detection

We recommend reviewing the dynamic linking of the sshd daemon (as it’s one of the known ways to use the backdoor) to ensure there is no link to liblzma. You can do this by using the command ldd "$(command -v sshd)".

liblzma is distributed by xz-utils. If there is a link to liblzma, then check the version of xz-utils that is installed.

The vulnerable backdoored versions are 5.6.0 and 5.6.1. If you have these versions installed, please review the logs of your system and initiate an incident response procedure for it.”

Known affected distribution

References

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:CLEAR - First version - 30th March 2024