cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Backdoor in popular Linux tool spotted by Microsoft engineer

The xz compression tool appears to have been tampered with “over several weeks” to create a malicious new feature.

user icon David Hollingworth
Tue, 02 Apr 2024
Backdoor in popular Linux tool spotted by Microsoft engineer
expand image

A curious Microsoft software engineer may have just saved a lot of people a lot of trouble after spotting a backdoor in the xz compression tool and liblzma5 library.

Andres Freund shared his findings in a post on open source security site Openwall, saying he’d spotted what appeared to be malicious code after noticing slow performance and several strange errors in recent Debian installations.

“After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer,” Freund said.


“The upstream xz repository and the xz tarballs have been backdoored.”

The changes to the code appear to have been made “over several weeks”, according to Freund, and were made by an individual who had been working on the project for some time, even going so far as to comment on the changes.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund said. “Unfortunately, the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’ mentioned above.”

The backdoor code is only present in a couple of versions of the tool and has only been added to pre-release versions of Linux distributions. Even then, the backdoor only appears to run on certain systems.

Freund shared his findings on 29 March, and the developers of several high-profile Linux distributions have already commented on the issue.

“Security researcher Andres Freund reported to Debian that the xz/liblzma library had been backdoored,” Marcus Meissner, an engineer at SUSE, wrote in a blog post.

“This backdoor was introduced in the upstream GitHub xz project with release 5.6.0 in February 2024.

“Our rolling release distribution openSUSE Tumbleweed and openSUSE MicroOS included this version between March 7th and March 28th.

“SUSE Linux Enterprise and Leap are built in isolation from openSUSE. Code, functionality and characteristics of Tumbleweed are not automatically introduced in SUSE Linux Enterprise and/or Leap. It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap.”

According to Meissner, the backdoor allows “malicious actors to access systems where SSH is exposed to the internet”.

On 29 March, a spokesperson for Red Hat warned customers to “stop usage of any fedora rawhide instances for work or personal activity”.

Red Hat posted further advice on 30 March.

“We have determined that Fedora Linux 40 beta does contain two affected versions of xz libraries – xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm. At this time, Fedora 40 Linux does not appear to be affected by the actual malware exploit, but we encourage all Fedora 40 Linux beta users to revert to 5.4.x versions,” it said.

Jake Williams, a former hacker for the US National Security Agency, shared a simple checklist to follow to mitigate exposure to the backdoor.

“Every organisation should take steps to remediate this vulnerability,” Williams said, “while recognising that it is now highly unlikely that a threat actor will ever exploit it (as doing so would facilitate attribution)”.

Here’s what Jake suggests:

  1. Repave any container deployments using Arch Linux that were performed since 24 February 2024.
  2. Inventory the number of users (usually developers) on Debian unstable branches and Fedora, as these users will always be at increased risk of bleeding edge backdoors like this.
  3. Ensure teams are aware that SAST and DAST are unlikely to catch software backdoors like this, and if necessary, re-evaluate your threat model in light of this.
  4. Review your firewall rules as they pertain to SSH. Since the backdoor was designed to operate with SSHD, it can only be exploited if a threat actor can connect to SSH instances running on your systems. When firewall rules are properly configured, even organisations with vulnerable Linux instances would be highly unlikely to be exploited.
David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.