Advisory April 3, 2024

XZ Utils Backdoor

The Obrela TI Team

A critical vulnerability with CVE-2024-3094 has been discovered in the open-source library XZ Utils. The vulnerability originates from malicious code that was pushed into the library by one of its maintainers. The vulnerability has a Critical CVSS Base Score of 10 out of 10.


CVE-2024-3094 comes from malicious code that was discovered in the tarball download package of XZ according to NIST. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code. This object file is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be exploited by any software linked against it, intercepting and altering data interactions with this library.

The initial report identified the backdoor as an SSH authentication bypass; however, further investigation reveals that it actually enables remote code execution (RCE). The individual behind this activity began contributing to the XZ project nearly two years ago, gradually gaining trust until being granted maintainer responsibilities. This behavior pattern resembles that of a state-sponsored threat actor.

According to officials from Red Hat in an email, the first indications of the backdoor appeared in an update on February 23, which introduced obfuscated code. The subsequent day’s update included a malicious install script that inserted itself into functions utilized by sshd, the binary file facilitating SSH operations. The malicious code has only been found in the archived releases, known as tarballs, which are released upstream.

The GIT versions available in repositories remain unaffected. They lack the M4 macro that triggers the inclusion of the malicious code during the build process. However, second-stage artifacts are present in the Git repository, ready for injection during build time if the malicious M4 macro is present. It was also observed that the backdoor interfered with the OpenSSH daemon. Although OpenSSH is not directly linked to the liblzma library, its communication with systemd exposes it to the malware due to systemd’s linking to liblzma.

In some cases, the backdoor has been unable to work as intended.

The vulnerability can lead to potential data manipulation and security breaches.

Affected Versions:

CVE-2024-3094 impacts versions 5.6.0 and 5.6.1.

earth and shield - Advisory image


To address this critical vulnerability, it is strongly suggested to downgrade to a previous non-compromised version of XZ Utils.

There are no known reports of those affected versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions.

This is crucial in mitigating potential risks, preventing potential exploitation and ensuring the integrity and security of your network infrastructure.