NAVANEM
CVE-2024-3094

XZ Utils, malicious code in liblzma backdoors sshd (supply-chain)

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code.

Overview

CVE-2024-3094 is a critical supply-chain compromise discovered in XZ Utils, a widely-used compression library present in virtually every Linux distribution. A malicious maintainer operating under the pseudonym 'Jia Tan', an account created in 2021 specifically to build trust within the open-source community, inserted a sophisticated multi-stage backdoor into upstream releases 5.6.0 and 5.6.1. The backdoor was designed to compromise sshd (OpenSSH server) and allow unauthorized remote code execution as root.

Technical Details

The attack leveraged a complex obfuscation scheme embedded within the XZ Utils build process. Malicious code was hidden inside what appeared to be test fixture files in the source tarball. During compilation, the build process extracted a prebuilt object file from these disguised test files and patched it into liblzma.

The backdoor specifically targets systems where sshd is linked against liblzma through systemd's libsystemd-notify dependency chain. Once active, the malicious code intercepts SSH authentication routines and grants remote command execution capabilities to anyone possessing the attacker's private RSA key, effectively bypassing all normal authentication mechanisms.

The compromise was discovered accidentally on March 29, 2024, by Microsoft engineer Andres Freund, who was investigating an unexplained 500-millisecond performance regression in sshd benchmarks. His investigation revealed the backdoor before it could reach stable distribution channels.

Impact

The backdoor reached several rolling-release and development distributions including Debian unstable/testing, Fedora Rawhide (40), openSUSE Tumbleweed, Arch Linux, and Kali Linux. These are commonly used as development workstations by security teams and in MSP toolchains.

Stable production distributions (Debian stable, RHEL, Ubuntu LTS) were not affected as version 5.6.x had not yet propagated to their repositories. No confirmed in-the-wild exploitation occurred before discovery. The 'Jia Tan' identity is publicly suspected to be state-aligned based on the sophistication and long-term planning of the attack.

Mitigation

  1. Verify installed XZ Utils version using xz --version, versions below 5.6.0 or patched versions beyond 5.6.1 are safe
  2. Immediately downgrade or update XZ Utils on affected distributions
  3. Rotate all SSH keys and credentials on any host that ran the compromised liblzma library
  4. Audit any packages maintained by the 'Jia Tan' account
  5. Review supply-chain security practices for critical dependencies

Detection

Check for XZ Utils versions 5.6.0 or 5.6.1 specifically. Security vendors released detection signatures for the malicious object files. Systems running affected versions with sshd linked against systemd-notify should be treated as potentially compromised and forensically examined.