On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that gives developers lossless compression. This package is commonly used for compressing release tarballs, software packages, kernel images, and initramfs images. It is very widely distributed, statistically your average Linux or macOS system will have it installed for convenience.
This backdoor is very indirect and only shows up when a few known specific criteria are met. Others may be yet discovered! However, this backdoor is at least triggerable by remote unprivileged systems connecting to public SSH ports. This has been seen in the wild where it gets activated by connections - resulting in performance issues, but we do not know yet what is required to bypass authentication (etc) with it.
TL;DR: We're reasonably sure the following things need to be true for your system to be vulnerable:
- You need to be running a rolling-release distro and updating religiously
- You need to be running a distro that uses glibc and systemd
- You need to have versions 5.6.0 or 5.6.1 of xz or liblzma installed (xz-utils provides the library liblzma)
If you're also running a publicly accessible sshd
, then you are
likely vulnerable. If you aren't, it is unknown for now, but you should
update as quickly as possible because investigations are continuing.
If all of these are the case, please update your systems to mitigate this threat. For more information about affected systems and how to update, please see this article or check the xz-utils page on Repology.
This is still a new situation. There is a lot we don't know. We don't know if there are more possible exploit paths. We only know about this one path. Please update your systems regardless. Unknown unknowns are safer than known unknowns.
This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't know much about what's going on.
This is not a fault of sshd, systemd, or glibc, that is just how it was made exploitable.
This backdoor has several components. At a high level:
- The release tarballs upstream publishes don't have the same code
that GitHub has. This is common in C projects so that downstream
consumers don't need to remember how to run autotools and autoconf.
The version of
build-to-host.m4
in the release tarballs differs wildly from the upstream on GitHub. - There are crafted test files in the
tests/
folder. These files are in the following commits:tests/files/bad-3-corrupt_lzma2.xz
(cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0, 74b138d2a6529f2c07729d7c77b1725a8e8b16f1)tests/files/good-large_compressed.lzma
(cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0, 74b138d2a6529f2c07729d7c77b1725a8e8b16f1)
- A script called by
build-to-host.m4
that unpacks this malicious test data and uses it to modify the build process. - IFUNC, a mechanism in glibc that allows for indirect function calls, is used to perform runtime hooking/redirection of OpenSSH's authentication routines. IFUNC is a tool that is normally used for legitimate things, but in this case it is exploited for this attack path.
Normally upstream publishes release tarballs that are different than
the automatically generated ones in GitHub. In these modified
tarballs, a malicious version of build-to-host.m4
is included to
execute a script during the build process.
This script (at least in versions 5.6.0 and 5.6.1) checks for various
conditions like the architecture of the machine. Here is a snippet of
the malicious version of build-to-host.m4
and an explanation of what
it does:
if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1);then
- If amd64/x86_64 is the target of the build
- And if the target uses the name
linux-gnu
(mostly checks for the use of glibc)
It also checks for the toolchain being used:
if test "x$GCC" != 'xyes' > /dev/null 2>&1;then exit 0 fi if test "x$CC" != 'xgcc' > /dev/null 2>&1;then exit 0 fi LDv=$LD" -v" if ! $LDv 2>&1 | grep -qs 'GNU ld' > /dev/null 2>&1;then exit 0
And if you are trying to build a Debian or Red Hat package:
if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then
This attack thusly seems to be targeted at amd64 systems running glibc using either Debian or Red Hat derived distributions. Other systems may be vulnerable at this time, but we don't know.
If those conditions check, the payload is injected into the source tree. We have not analyzed this payload in detail. Here are the main things we know:
- The payload only activates if the running program has the process
name
/usr/sbin/sshd
. This means that systems that putsshd
in/usr/bin
or another folder are not vulnerable. This further suspects targeting systemd systems due to their usrmerge initiative putting all binaries in/usr/bin
. - We don't know what the payload is intended to do. We are investigating.
- Vanilla upstream OpenSSH isn't affected unless one of its
dependencies links
liblzma
. We are not aware of any cases of this in practical production systems. - The payload is loaded into
sshd
indirectly.sshd
is often patched to support systemd-notify so that other services can start when sshd is running.liblzma
is loaded because it's depended on by other parts oflibsystemd
. This is not the fault of systemd, this is more unfortunate. The patch that most distributions use is available here: openssh/openssh-portable#375. - If this payload is loaded in openssh
sshd
, theRSA_public_decrypt
function will be redirected into a malicious implementation. We have observed that this malicious implementation can be used to bypass authentication. Further research is being done to explain why.
We do not want to speculate on the people behind this project in this document. This is not a productive use of our time, and law enforcement will be able to handle identifying those responsible. They are likely patching their systems too.
xz-utils has two maintainers:
- Lasse Collin (Larhzu) who has maintained xz since the beginning
(~2009), and before that,
lzma-utils
. - Jia Tan (JiaT75) who started contributing to xz in the last 2-2.5 years and gained commit access, and then release manager rights, about 1.5 years ago.
Lasse regularly has internet breaks and is on one at the moment, started before this all kicked off. We believe CISA may be trying to get in contact with him.
- Andres Freund who discovered the issue and reported it to linux-distros and then oss-security.
- All the hard-working security teams helping to coordinate a response and push out fixes.
- Xe Iaso who resummarized this page for readability.