Are You Affected by the Backdoor in XZ Utils?

Red Hat is warning that a vulnerability in XZ Utils, the XZ format compression utility included in Unix-like operating systems such as Linux, is a backdoor. Users should either downgrade the utility to a safer version or disable SSH entirely so that the backdoor cannot be exploited.

The code injection vulnerability (CVE-2024-3094) injects code into the authentication process that allows malicious actors to gain remote access to the system. Red Hat said in its advisory to "PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity" until the company reverted its xz version to 5.4.x and gave the all-clear. The flaw has been assigned a Common Vulnerability Scoring System (CVSS) score of 10.0.

The flaw is present in xz versions 5.6.0 (released Feb. 24) and 5.6.1 (released March 9). The US Cybersecurity and Infrastructure Security Agency (CISA) advised developers and users to downgrade XZ Utils to an earlier, uncompromised version, such as XZ Utils 5.4.6 Stable.

Here's how to tell whether the system is running the affected version:

xz --version

If the output says xz (XZ UTils) 5.6.1 or liblzma 5.6.1, then users should either apply the update for their distribution (if available), downgrade xz, or disable SSH for the time being.

While the issue primarily affects Linux distributions, there are reports that some versions of MacOS may be running the compromised packages. If that is the case, running brew upgrade on the Mac should downgrade xz from 5.6.0 to 5.4.6.

Binarly has created and released a free scanning tool to help defenders spot signs of the backdoor. The user upload an ELF file less than 5Mb in size and the tool looks for the backdoor code. "We built the tool in a way it could used for finding similar ways of implantation in other applications beyond XZ Utils," says Alex Matrosov, founder and CEO of Binarly.

Which Linux Distros Are Affected?

While serious, the impact may be limited. The problematic code is in the newer versions of xz/liblzma, so it may not be as widely deployed. Linux distributions that have not yet released the newer versions are less likely to be affected.

Red Hat: Vulnerable packages are present in Fedora 41 and Fedora Rawhide. No versions of Red Hat Enterprise Linux (RHEL) are affected. Red Hat says users should immediately stop using the affected versions until the company has had a chance to change the xz version.

SUSE: An update is available for openSUSE (Tumbleweed or MicroOS).

Debian Linux: No stable versions of the distribution are affected, but compromised packages were part of the testing, unstable, and experimental versions. Users should update xz-utils.

Kali Linux: If systems were updated between March 26 and March 29, then users should update again to get the fix. If Kali's last update was before March 26, it is not affected by this backdoor.

Ubuntu: One of the most popular Linux distributions is unaffected as its version of xz is the older 5.4 version. No update is required.

This list will be updated as other distributions provide information.