Backdoor in xz/liblzma (CVE-2024-3094): our response
On March 29th, we were informed that a backdoor was discovered in the source code of xz, introduced with version 5.6.0 (CVE-2024-3094). Our security team instantly made sanity checks, and found our services were not impacted.
As stated by NIST, « Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. ».
First, the malicious version was not deployed on images we use for most of our services. Second, we don’t use patches to suppport systemd within OpenSSH through libsystemd (which depends on the backdoored libzma). Third, some GNU/Linux distributions were specifically targeted, not Exherbo Linux which we use for our services.
Nevertheless, we immediatly put the backdoored version on a deny list to prevent its installation, and so did Exherbo Linux maintainers promptly after. We also started to revert xz 5.6.x to 5.4.6 on the few custom services where it had been set up, although it would not have been possible for an attacker to exploit it.
You can know more about this CVE following these links:
- https://boehs.org/node/everything-i-know-about-the-xz-backdoor
- https://gynvael.coldwind.pl/?lang=en&id=782
- https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
- https://www.openwall.com/lists/oss-security/2024/03/29/4
You can contact our support team if you have further questions about this topic.