Security alert: XZ Linux utility backdoor

· 1 MIN READ · AARON WALTON · MAR 29, 2024 · TAGS: Alert / MDR / Vulnerability

Researchers identified a backdoor into the XZ Linux utility, via supply chain compromise. Here’s what you need to know.

This post was updated on April 1 to include some additional analysis and information. 

What happened?

On March 29, 2024, researchers identified a backdoor in the XZ Linux utility, that if exploited, it would open the door for threat actors to gain unauthorized access to critical systems. The malicious code is present in versions 5.6.0 and 5.6.1 of the XZ libraries. Due to being caught at an early stage of deployment, the backdoor wasn’t introduced to many Linux distributions. According to public reporting, the following x86-64 distributions were impacted:

A maintainer introduced the malicious code. It’s unclear if the maintainer’s account was compromised or if the maintainer made the changes purposely.

If you have these impacted distributions in your environment that use XZ 5.6.0 and 5.6.1, read on and take the recommended actions. Please note that Expel and our assemblers ARE NOT impacted.

Why does it matter?

The backdoor allows an actor with the Public Key to access and run commands as the root user. As the root user, the attacker would be able to run commands with the highest possible privileges.

At this time, we don’t understand the intent of the attacker, but it can’t be anything good.

What should you do right now?

First, identify hosts running XZ version 5.6.0 or 5.6.1, and downgrade to version 5.4.6 or earlier. There are no mitigations other than replacing the malicious binary. Downgrading to an early version will remove the backdoor.

Next, contact your security and development teams to validate that only the unaffected versions of XZ are being used in your environment. It’s important that the compromised distributions aren’t distributed any further in the environment.

What next?

We’re keeping a close eye on this situation as it unfolds. Since a maintainer introduced this malicious code, researchers are digging into other parts of the project that maintainer may have been involved with.

We’ll update this post with any big developments, but watch for ongoing updates from CISA, keep an eye on our socials (@ExpelSecurity) for any important updates and recommendations, and of course, get in touch with us if you have questions or concerns.