Malicious code in the widely used compression library across various Linux distributions XZ Utils has been uncovered that can lead to system compromise.

XZ Utils, a versatile command line tool, integrates compression and decompression functionalities for XZ files and liblzma, a zlib-like API for data compression, including support for the legacy .lzma format.

The security issue, which has been assigned an identifier of CVE-2024-3094, has been discovered by a PostgreSQL developer named Andres Freund, who noticed suspicious behavior related to liblzma, part of the xz package, on Debian sid installations, namely an uptick in CPU usage by the SSH daemon, causing delays in SSH performance and login times.

The malicious code was found in versions 5.6.0 and 5.6.1 of XZ Utils. The backdoor is not present in the source code found in the Git repository but is introduced in the distributed tarballs.

As of now, the following Linus distros are confirmed to have been affected: Fedora (40 Beta and Rawhide), Debian (Sid), openSUSE (Tumbleweed and MicroOS), Kali Linux (Rolling), Gentoo, and Arch Linux (Rolling). The macOS Homebrew package manager and the OpenWRT router firmware are also said to have been impacted. Fedora 40 Linux does not appear to be affected.

Interestingly, the backdoor was not directly embedded in the visible source code of liblzma or within XZ Utils itself. Instead, it was hidden within binary test files formatted in XZ compression, ostensibly a benign component of the library’s test suite.

“That line is *not* in the upstream source of build-to-host, nor is build-to-host used by xz in git. However, it is present in the tarballs released upstream, except for the "source code" links,” Freund wrote.

According to Red Hat, the malicious code alters functions within liblzma. Once activated, this modified code can be exploited by any software linked to the XZ library, potentially enabling the interception and modification of data processed through the library. In a specific case highlighted by Freund, exploitation of this backdoor under specific conditions could compromise SSHD authentication, granting unauthorized access to vulnerable systems.

As for how the malicious code was introduced to XZ Utils, the individual believed to be behind this operation, who goes online as Jia Tan or JiaT75, reportedly contributed code to the oss-fuzz project. It appears that JiaT75 has been targeting XZ since April 2022.

Following the disclosure, the US Cybersecurity and Infrastructure Security Agency (CISA) released a security advisory regarding CVE-2024-3094, advising users to downgrade XZ Utils to an uncompromised version, such as XZ Utils 5.4.6 Stable.