Aqua Blog

CVE-2024-3094: Newly Discovered Backdoor in XZ tools

CVE-2024-3094: Newly Discovered Backdoor in XZ tools
The xz-utils is a popular compression tool used widely across Linux systems, indicating its critical role in the software ecosystem. The xz-utils backdoor, discovered on March 29, 2024, exposes systems to potential backdoor access and remote code execution. It specifically targets versions 5.6.0 and 5.6.1 of xz-utils on systems using glibc, systemd, and patched OpenSSH. Users are urged to immediately stop usage and downgrade to xz-5.4.x.

The backdoor activates under certain conditions, potentially affecting performance and security. This issue underscores the vulnerability of relying heavily on single maintainers for critical infrastructure and highlights the complex interdependencies in open-source software ecosystems. Ongoing investigations aim to understand the full scope and mitigate the risks associated with this backdoor.

Which systems are vulnerable?

Systems using glibc with xz or liblzma versions 5.6.0 or 5.6.1, especially those with systemd and patched OpenSSH, are vulnerable. This includes Linux distributions systems utilizing the vulnerable components as shown here. In the cloud, instances running affected versions on public-facing services amplify risk, necessitating immediate updates to mitigate vulnerabilities.

Cloud providers might have underlying systems or offer services based on these vulnerable versions, so it’s crucial for cloud users to verify and update their instances or consult their provider’s advisories.

It appears in the de-obfuscated script that only Linux x86_64 certain versions are vulnerable as the script is designed to “decide” whether to modify or not the build process, as illustrated below.

This function verifies the targeted operating system is x86-64 Linux.

Figure 1: This function verifies the targeted operating system is x86-64 Linux.

Significant milestones in the vulnerability timeline

A great time-line summary was offered by Evan Boehs, summarizing the Open-Source flaws as we’ve seen it.

In 2021, Jia Tan (JiaT75) first joined GitHub and made suspicious commits to libarchive, raising initial concerns. By April 2022, Tan began influencing the XZ project, leading to his first commit and becoming a key contributor. This period marked a pivotal shift, culminating in 2024 with a significant exploit discovery related to xz-utils. These milestones underscore vulnerabilities in open-source project maintenance and the implications of unchecked contributions.

This issue was assigned CVE-2024-3094 and even got an alert by CISA.

Technical information (what we know so far)

Andres Freund shared a write-up in which he explains how he uncovered the sophisticated backdoor. The malicious code in the XZ-utils was found only in the ‘tarball’ distributions of the software, which are the packaged source code files. It was not found, however, in the original, or upstream, source code on GitHub, which makes it more hidden. The GitHub-generated source code links are considered safe because they are automatically created from the repository itself, without the added malicious code found in the tarballs for versions 5.6.0 and 5.6.1.

The malicious code injects and obfuscated script that alters the makefile to introduce a corrupted test file into the build.

The injected script

Figure 2: The injected script

The altered build process then included the malicious file during compilation of the liblzma library. The initial backdoor code substitutes certain functions meant for checksum calculation, specifically crc32_resolve() and crc64_resolve().

SSHD loads these libraries and the attacker is able to bypass the checksum checkup and get access to the server via SSH connection.


If you are using these Linux distributions, you may be affected:
  • Fedora Linux 40 and Rawhide
  • openSUSE
  • Kali Linux
  • Alpine
  • Debian (Unstable)
  • Arch

Users are urged to immediately stop usage of the xz-utils compression tool and downgrade to xz-5.4.x. See links below for instructions on downgrading these packages.

Depending on the distro you use, you can confirm you are not impacted by this vulnerability with Aqua Trivy. Trivy facilitates the detection of vulnerabilities on supported platforms, including this vulnerability.

In addition, Aqua’s Cloud Native Application Platform (CNAPP) ensures robust security from development to deployment. It scans for vulnerabilities and misconfigurations in code, container images and cloud workloads, leveraging Aqua Trivy’s premium features. Pre-deployment, it integrates with CI/CD pipelines to establish strict controls, permitting only vetted images.

By leveraging a defense-in-depth strategy, you can enhance your security measures to mitigate vulnerabilities within your workloads and safeguard them against malicious activities.

Furthermore, you can configure your Continuous Integration/Continuous Deployment (CI/CD) pipelines to terminate the build process under various conditions. Specifically, this capability can be used to prevent the promotion of code that contains any detected vulnerabilities into production.

Also, Aqua Enforcer’s malware detection actively identifies the xz-utils backdoor exploits by continuously scanning the nodes. It promptly notifies administrators upon detecting any instances of the backdoor, ensuring swift response and mitigation.

Aqua Enforcer identifies the xz-utils backdoor exploits

Aqua Enforcer identifies the xz-utils backdoor exploits

For more complete protection from any vulnerability, you can take advantage of our sophisticated behavioral detection capabilities. These capabilities are designed to be broad and not confined to identifying any single vulnerability or event. Their fine-tuned sensitivity ensures the identification and prevention of malicious behavior, thereby allowing for the interception and thwarting of attacks in real-time.

And finally, this is a list of known affected Linux distributions, versions and links to remediation steps:


* After a thorough review of our systems and images, we are pleased to confirm that our products and images are not vulnerable to CVE-2024-3094.

Aqua Team
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.