Reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1 have caused CISA and the open source community to respond. XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems.
CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA. CISA also suggests following this Red Hat advisory for more information.
Analyst Comment (Jennifer Lyn Walker): According to current reporting (referenced from the resources below), community analysis of the backdoor is ongoing. Fortunately, thanks to the original discovery, the backdoored version of the utility did not affect stable branches of most major Linux distributions and is unlikely to have made it into any production systems. The most at-risk category of users is likely developers, many of whom tend to run bleeding-edge versions of Linux. While it was discovered before it made its way into most Linux distributions and its real-world impact is believed to be limited, experts suggest that it did present a very real and present danger.
Linux systems administrators are encouraged to maintain awareness of ongoing analysis for impacted distributions and recommended remediations.
Additional Resources
- Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor | SecurityWeek
- Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094) | Unit 42
- Frequently Asked Questions About CVE-2024-3094, A Backdoor in XZ Utils | Tenable
- Backdoored XZ Utils (CVE-2024-3094) | Rapid7
- CVE-2024-3094 XZ Backdoor: All you need to know | JFrog
- The amazingly scary xz sshd backdoor | SANS
- The xz-utils backdoor in security advisories by national CSIRTs | SANS
- CVE Advisory: CVE-2024-3094 - Security Compromise in XZ Utils | Zscaler
