The XZ vulnerability, ssh has been backdoored

Monday, 01 Apr 2024
techssh-has-been-backdoored

Background

So a few days ago back on the 29th March 2024, a new critical threat officially now known as CVE-2024-3094 was discovered.

This one is pretty damn serious as it has a CVSS score of 10.0! Basically it's bad, like really really bad.

In a nutshell Microsoft engineer Andres Freund happened to notice that SSH logins into Debian had a slight delay.

After going down a rabbit hole, it was discovered that during the build process of a utility tool called XZ (used for file compression) a backdoor was introduced.

The affected version of XZ is v5.6.0 and v5.6.1

Which distros are affected?

If you're running the following distro's then you're most likely affected:

  • Fedora 40-41
  • Rawhide
  • Arch Linux
  • Debian unstable (sid)
  • Alpine Edge
  • openSUSE Tumbleweed
  • openSUSE MicroOS

How to check for the XZ vulnerability

Run the follong command to check which version of xz and liblzma you have installed on your machine or server. If the version is either 5.6.0 or 5.6.1 then downgrade ASAP.

user@pc:~ xz -V
xz (XZ Utils) 5.2.5
liblzma 5.2.5