Backdoor in xz-utils 5.6.0–5.6.1 (liblzma) compromises sshd

Summary

xz-utils 5.6.0 and 5.6.1, published in February and March 2024, contain a deliberate backdoor introduced through multi-year social engineering of the project’s maintenance. The backdoor activates when liblzma is loaded into sshd via the systemd notification dependency chain (libsystemd → liblzma) and replaces the resolver for RSA_public_decrypt. An unauthenticated remote attacker holding the actor’s private key can execute arbitrary code as root during the SSH key-exchange.

The compromise was caught in pre-release distributions before reaching most stable channels. Stable Debian, Ubuntu LTS, and RHEL releases are not affected. Fedora 40/41 development streams, Debian unstable/testing, openSUSE Tumbleweed, Kali Linux rolling, and Arch Linux did ship the affected versions during the window 2024-02-24 through 2024-03-29.

Affected versions

Backdoored upstream releases

xz-utils 5.6.0 (released 2024-02-24)

xz-utils 5.6.1 (released 2024-03-09)

Distributions that shipped the backdoored tarballs

Fedora 40 (pre-release), Fedora 41 (Rawhide)

Debian unstable (sid), Debian testing

openSUSE Tumbleweed, openSUSE MicroOS

Kali Linux (rolling), Arch Linux (rolling)

xz-utils 5.4.x and earlier are not affected. xz-utils 5.6.2 (released 2024-03-30) reverts to the pre-backdoor build configuration.

Technical detail

The backdoor is delivered through two test-fixture archives committed to the project’s git repository — tests/files/bad-3-corrupt_lzma2.xz and tests/files/good-large_compressed.lzma. These are presented as fuzz-test inputs but in fact carry the encrypted backdoor payload. The release tarball ships an m4/build-to-host.m4 script (not present in the git tree) that extracts and executes the payload at build time, modifying the resulting liblzma shared object.

The injected code replaces the GNU IFUNC resolver for RSA_public_decrypt with a function that inspects incoming SSH connection data. When the attacker’s signed payload is presented, control flow is redirected before authentication. Detailed reverse-engineering by the open-source community established the entry point, the ChaCha20-based payload encryption, and the ED448 public-key check used to validate attacker commands.

Impact

An attacker with the corresponding private key gains pre-authentication remote code execution as the user running sshd — typically root — on any host running an affected distribution build of OpenSSH where sshd is linked against the patched liblzma. No prior credentials, network position beyond TCP/22 reachability, or social interaction are required.

The compromise is a supply-chain attack: even fully-patched and correctly configured downstream systems would have been vulnerable solely by virtue of trusting the upstream release artifact.

Mitigation

1. Verify xz-utils is at version 5.4.x, or 5.6.2 or later. On Debian-based systems: dpkg -l xz-utils | tail -1. On RPM-based systems: rpm -q xz.
2. If running an affected version, downgrade to the latest 5.4.x and reboot any host where sshd was started while the backdoored library was resident.
3. Audit any distribution image, container base image, or CI build cache created between 2024-02-24 and 2024-03-29 against the affected version list above.
4. Rotate any SSH host keys that may have been resident in memory on a backdoored host.

Detection

Andres Freund’s original Openwall post includes a shell-script check for liblzma artifacts. The signature can also be expressed as YARA over disk and memory:

rule xz_backdoor_2024_3094 : supplychain ssh
{
  meta:
    author      = "imf-research"
    description = "Detects liblzma payload markers from CVE-2024-3094"
    cvss        = "10.0"
    tlp         = "TLP:CLEAR"
    reference   = "https://www.openwall.com/lists/oss-security/2024/03/29/4"
  strings:
    $sym_resolver = "RSA_public_decrypt" ascii
    $payload_a = { F3 0F 1E FA 55 48 89 E5 ?? ?? ?? ?? ?? ?? ?? 4? 89 D? }
    $build_marker = "Hello world!" wide
  condition:
    uint32(0) == 0x464C457F and  // ELF magic
    $sym_resolver and
    1 of ($payload_a, $build_marker)
}

Because the backdoor only activates inside sshd, detection should also include process-listing reviews and outbound TCP/22 anomaly tracking around the disclosure window.

Timeline

Date	Event
2021-04	Account “Jia Tan” first contributes to the xz project.
2022-04	Original maintainer cedes commit access following sustained pressure from sock-puppet accounts.
2024-02-24	xz-utils 5.6.0 released, backdoor present.
2024-03-09	xz-utils 5.6.1 released.
2024-03-28	Andres Freund detects unusual SSH login latency on a Debian unstable host.
2024-03-29	Public disclosure on oss-security@. CVE-2024-3094 assigned.
2024-03-30	xz-utils 5.6.2 released, reverting to clean tarball.
2024-04-02	Affected distributions complete coordinated downgrade.

Acknowledgements

Discovery and initial public report by Andres Freund (Microsoft). Subsequent analysis contributed by Sam James, Kostya Kortchinsky, gynvael, Russ Cox, the Red Hat product security team, and the broader open-source security community.

References

1. https://www.openwall.com/lists/oss-security/2024/03/29/4 — original disclosure on oss-security
2. https://access.redhat.com/security/cve/CVE-2024-3094 — Red Hat product security advisory
3. https://nvd.nist.gov/vuln/detail/CVE-2024-3094 — NIST NVD entry
4. https://research.swtch.com/xz-script — Russ Cox, “Timeline of the xz open source attack”
5. https://gynvael.coldwind.pl/?lang=en&id=782 — Gynvael Coldwind, reverse-engineering notes on the payload