The xz/liblzma/ssh backdoor – Are You at Risk? Learn How to Safeguard Your Systems Now

Recently, CVE-2024-3094 was disclosed, revealing that malicious code had been discovered in the upstream tarballs of xz, starting with version 5.6.0. The malicious code uses complex obfuscation techniques to extract a prebuilt object file from a disguised test file within the source code. This file then modifies specific functions in the liblzma code during the build process, resulting in a compromised liblzma library. This vulnerability poses a significant risk as liblzma is a widely used library for compression and decompression, integral to many Linux distributions.

It’s important to note that this vulnerability was introduced in a version released on 24 Feb 2024. Although it has not yet been included in the latest stable versions of major Linux distributions, users are encouraged to verify their system’s version to ensure they are not affected.

How to Check If You Are Affected?

1. Open your Terminal.
2. Run the command:

For Ubuntu/Debian based systems

dpkg -l | grep liblzma

## Output will be similar to
## liblzma5:amd64       5.2.5-2ubuntu1     amd64        XZ-format compression library

For Red Hat/Fedora/CentOS:

rpm -q xz-libs
## Output will be similar to
## xz-libs-5.2.5-8.el9_0.x86_64

In the above output, the version is 5.2.5 . However, if you see version 5.6.0 or 5.6.1, it means you are affected by CVE-2024-3094.

I am Impacted, What Should I Do?

If you are affected, the current recommendation is to rollback to a version prior to 5.6.0, such as 5.4.6 or 5.2.5, which is not impacted by this vulnerability. Rolling back will depend on the distribution you are using. Additionally, monitor the relevant security channels for your distribution for updates regarding this issue.

Additional Resources and Official Advisories:

• Debian : https://security-tracker.debian.org/tracker/CVE-2024-3094
• Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2272210
• Ubuntu: https://discourse.ubuntu.com/t/xz-liblzma-security-update/43714
• Original bug report: https://www.openwall.com/lists/oss-security/2024/03/29/4
• NVD database: https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Stay informed and take the necessary steps to protect your systems from this vulnerability.

At Kapstan, we understand the critical nature of maintaining the security and integrity of your systems. If you’re concerned about how this vulnerability may impact your systems, or if you’re seeking comprehensive solutions tailored to your needs, Kapstan is here to help. Our expertise in security and deploying secure infrastructure can help fortify your defenses and ensure that your operations remain secure and resilient against evolving threats. To learn more about how we can assist you in navigating this and other security concerns, reach out to us today. Let’s work together towards a more secure future.