After 2024-04-02 I am only adding important new discoveries (I come accross). There is just too much Blog and Video entries to keep track of.
Initial disclosure:
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- Aka https://lwn.net/ml/oss-security/[email protected]/
CVE and Alerts
- https://github.com/advisories/GHSA-rxwq-x6h5-x525
- https://nvd.nist.gov/vuln/detail/CVE-2024-3094
- https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
- https://www.cisecurity.org/advisory/a-vulnerability-in-xz-utils-could-allow-for-remote-code-execution_2024-033
Media & Industry Coverage
- https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
- https://therecord.media/malicious-backdoor-code-linux-red-hat-cisa
- https://securityonline.info/cve-2024-3094-cvss-10-backdoor-flaw-discovered-in-popular-linux-compression-tool/?expand_article=1 (ad popup warning)
- https://www.phoronix.com/news/GitHub-Disables-XZ-Repo
- https://lwn.net/Articles/967180/
- https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/
- https://www.gamingonlinux.com/2024/03/xz-tools-and-libraries-compromised-with-a-critical-issue/
- https://linuxiac.com/the-upstream-xz-tarballs-have-been-backdoored/
- https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/
- (de) https://tarnkappe.info/artikel/linux/backdoor-in-openssh-server-gefunden-291281.html
- Low level Learning: situation breakdown https://youtu.be/jqjtNDtbDNI
- Low Level Learning: xz-bot demo https://youtu.be/vV_WdTBbww4
- https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/
- https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
- https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html
- (de) https://www.heise.de/news/Hintertuer-in-xz-Bibliothek-gefaehrdet-SSH-Verbindungen-9671317.html
- (de) https://www.heise.de/news/xz-Attacke-Hintertuer-entraetselt-weitere-Details-zu-betroffenen-Distros-9671588.html
- https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
- https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
- blog https://www.wiz.io/blog/cve-2024-3094-critical-rce-vulnerability-found-in-xz-utils
- Untitled Linux Show https://youtu.be/RL7_lRpgthY
- (de) https://www.derstandard.at/consent/tcf/story/3000000213960/wie-die-computerwelt-gerade-haarscharf-an-einer-sicherheitskatastrophe-vorbeigeschrammt-ist
- https://www.politico.com/news/2024/03/31/thwarted-supply-chain-hack-alarm-bells-00149877
- (es) https://amp.elmundo.es/tecnologia/2024/03/31/6609b448e85eceab538b4571.html
- (it) https://www.remoteitalia.com/blog/sicurezza-informatica/backdoor-in-xz-utils-allarme-sicurezza-per-linux/
- https://www.nodejs-security.com/blog/xz-backdoor-cve-2024-3094-javascript-perspective/
- https://snyk.io/blog/the-xz-backdoor-cve-2024-3094/
- https://www.schneier.com/blog/archives/2024/04/xz-utils-backdoor.html
- https://discu.eu/q/https://github.com/tukaani-project/xz
- preprint Paper https://arxiv.org/abs/2404.08987 (JKU.at)
Writeups
- History commits analysis https://news.ycombinator.com/item?id=39866936
- Author background https://www.mail-archive.com/[email protected]/msg00567.html
- History writeup https://boehs.org/node/everything-i-know-about-the-xz-backdoor
- social aspects https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
- counter intelligence needed https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
- https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd
- https://research.hisolutions.com/2024/04/xz-backdoor-eine-aufarbeitung/
Mitigations, Detection and Snakeoil
- https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh
⚠️ - checkscript2: https://github.com/FabioBaroni/CVE-2024-3094-checker/
⚠️ - https://github.com/Neo23x0/signature-base/blob/master/yara/bkdr_xz_util_cve_2024_3094.yar
- https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/
- https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils
- https://www.runzero.com/blog/how-to-find-systems-impacted-by-cve-2024-3094-libxz-utils-with-runzero/
⚠️ Warning: it is not a good idea to execute a compromised binary with the-Vflag or runlddon it. The menuoned sceipts should not be executed on sensitive systems.- notes, honeypot and exploit demo https://github.com/amlweems/xzbot
- upstream Debian patch to OpenSSH https://bugzilla.mindrot.org/show_bug.cgi?id=2641 (with less dependencies)
- binar.ly binary scanner: https://xz.fail/
Discussions
- https://news.ycombinator.com/item?id=39865810#39866275
- https://lobste.rs/s/uihyvs/backdoor_upstream_xz_liblzma_leading_ssh
- https://www.reddit.com/r/sysadmin/comments/1bqu3zx/backdoor_in_upstream_xzliblzma_leading_to_ssh/
- https://twitter.com/nickdothutton/status/1773829164392472741 (x discussion)
- https://discourse.ubuntu.com/t/xz-liblzma-security-update/43714
- Analysis https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
- commit timezone analysis https://x.com/birchb0y/status/1773871381890924872
- rc4 obfuscation https://x.com/nugxperience/status/1773906926503591970
- https://www.postgresql.org/message-id/CA%2BhUKGK4ZewHeVtnbBc_pbZRHZa6GyO%3DUpJ5XDmomA9Lf0xpkA%40mail.gmail.com
- early stages analysis https://gynvael.coldwind.pl/?lang=en&id=782
- https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b
- diagram https://x.com/fr0gger_/status/1774342248437813525
- diagram https://x.com/ctiyeewesley/status/1774478963408302529
- mastodon active posters https://infosec.exchange/@kpwn/112191917895132500
- timezones https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and
- fedora discussion, supply chain hardening: https://lwn.net/ml/fedora-devel/[email protected]/
- OpenSSH discussion, split into modules: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-April/041287.html
- similqr exploit tactic in fdroid: https://social.librem.one/@eighthave/112194828562355097
- https://research.swtch.com/xz-script
- xz unbanned on github (r/linux): https://www.reddit.com/r/linux/comments/1c0g8li/xz_utils_is_back_on_github_and_lasse_collin_has/
- systemd/systemd#32028
background research and evidence
- tukaani-project/xz#9
- tukaani-project/xz#95
- Backdoor line https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh#L40
- https://git.tukaani.org (untrusted, github mirrors are locked now) (backup: http://tmp.joeyh.name/xz-git-repository-for-analysis-backdoored.tar.gz fc739b4942130e0259c272b119108ccd9241943f73b115ef5fd16299d86054d0)
- Sus commits https://git.tukaani.org/?p=xz.git;a=search;pg=4;s=Jia+Tan;st=author
- Sus commits https://git.tukaani.org/?p=xz-java.git;a=search;s=Jia+Tan;st=author
- Sus mails https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417
- Sus commits libarchive/libarchive#1609
- Sus PR google/oss-fuzz#11587
- Sus PR https://github.com/keithn/seatest/pulls?q=author%3AJiat75+
- Sus https://play.clickhouse.com/play?user=play#U0VMRUNUICogRlJPTSBnaXRodWJfZXZlbnRzIFdIRVJFIGFjdG9yX2xvZ2luPSdKaWFUNzUnIE9SREVSIEJZIGZpbGVfdGltZSBERVND
- Sus https://play.clickhouse.com/play?user=play#U0VMRUNUIGNyZWF0ZWRfYXQsIGV2ZW50X3R5cGUsIGFjdG9yX2xvZ2luLCByZXBvX25hbWUsdGl0bGUsYWN0aW9uLCBzdWJzdHJpbmcoYm9keSwgMSwgMjAwKSBhcyBib2R5X3RydW5jYXRlZCAgRlJPTSBnaXRodWJfZXZlbnRzIFdIRVJFIGZpbGVfdGltZSA+IG5vdygpIC0gSU5URVJWQUwgNjAgREFZIEFORCBldmVudF90eXBlPSdQdWxsUmVxdWVzdEV2ZW50JyBBTkQgdGl0bGUgSUxJS0UgJyU1LjYlJyBBTkQgdGl0bGUgSUxJS0UgJyV4eiUnIEFORCBib2R5IE5PVCBJTElLRSAnJVNueWslJyBhbmQgYm9keSBub3QgaWxpa2UgJyVDVkUtMjAyNC0zMDk0JScgYW5kIHRpdGxlIG5vdCBpbGlrZSAnJWRvd25ncmFkZSUnIE9SREVSIEJZIGZpbGVfdGltZSBERVNDIExJTUlUIDEwMA==
- Sus bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
- Sus embed kernel maintainer https://lore.kernel.org/lkml/[email protected]/
- a fix commit https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00
- NOBUS type backdoor https://en.wikipedia.org/wiki/NOBUS
- address in range reversed https://x.com/bl4sty/status/1775299293139575048
- libarchive in windows https://cyberplace.social/@GossiTheDog/112208807973499815
- "the other author suddenly disappeared" https://github.com/tukaani-project/xz/commit/77a294d98a9d2d48f7e4ac273711518bf689f5c4
- liblzma was removed, creating urgency systemd/systemd#31550
Vendor Responses
Upstream statement https://tukaani.org/xz-backdoor/
- QubesOS/qubes-issues#9067
- QubesOS/qubes-issues#9071
- https://news.opensuse.org/2024/03/29/xz-backdoor/
- https://archlinux.org/news/the-xz-package-has-been-backdoored/
- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
- https://lists.debian.org/debian-security-announce/2024/msg00057.html
- google/oss-fuzz#11760
- https://aws.amazon.com/de/security/security-bulletins/AWS-2024-002/
- Homebrew/homebrew-core#167541
- https://github.com/orgs/Homebrew/discussions/5243
- https://www.kali.org/blog/about-the-xz-backdoor/
- https://infosec.exchange/@kalilinux/112180505434870941
- NixOS/nixpkgs#300028
- https://security.gentoo.org/glsa/202403-04
- https://bugs.gentoo.org/925415
- https://hardenedbsd.org/article/shawn-webb/2024-03-29/hardenedbsd-unaffected-cve-2024-3094-backdoor-xzlzma-560561
- https://x.com/clearlinux/status/1773866579828347276
- https://forum.openwrt.org/t/project-statement-about-xz-5-6-1-cve-2024-3094/193250
- https://github.com/termux/termux-packages/commit/4c6c0d0eb747afd886bf9d035667d98cb0fc4b8f
- https://ubuntu.com/security/CVE-2024-3094 (releases not affected)