CVE-2024-3094:
Malicious Code Discovered in Archive Files of the XZ Library

Gatewatcher Products Affected
The versions of the liblzma library impacted by the malicious code are not present in Gatewatcher products. Specifically, these versions are considered “unstable” and are not included in the development of our products.
As a general practice, vulnerability scans are conducted daily across all our products to identify if any library versions we use are vulnerable to the latest CVEs.
Affected Versions
Versions 5.6.0 and 5.6.1 of the liblzma library are affected by the presence of malicious code. The following distributions have integrated these two versions:
- Arch Linux container images created between February 24 and March 28, 2024 (installation support 2024.03.01, virtual machine images 20240301.218094 and 20240315.221711);
- Kali Linux versions available between March 26 and 29, 2024;
- openSUSE Tumbleweed and openSUSE MicroOS versions available between March 7 and 28, 2024;
- Debian testing, unstable, and experimental versions (from 5.5.1alpha-0.1 to 5.6.1-1);
- Fedora 41, Fedora Rawhide, and Fedora 40 Linux beta versions.
To check if your system is infected with the malicious versions of liblzma, do not run the command xz -V
. Instead, use strings \
which xz` | grep “(XZ Utils)”` to avoid potentially executing a malicious command.
Vulnerability Details
On Friday, March 29th, Andres Freund, a software engineer at Microsoft, alerted the community after noticing unusually long SSH connection times, which led to the discovery of malicious code in two versions of the xz library. Also known as liblzma, this utility is available on many Linux distributions, including Arch Linux, Debian, and Fedora.
Versions 5.6.0 and 5.6.1, released respectively at the end of February and on March 9th, both contain malicious code that enables remote arbitrary code execution. Given the severity of the threat, a CVE reference was reserved: CVE-2024-3094, with a CVSS score of 10 out of 10.
How did malicious code end up in a utility that is installed by default on most Linux distributions? liblzma is an Open Source software, meaning its source code is publicly available, allowing anyone to view, modify, and distribute it freely. Typically, any changes to the source code are reviewed by the original developers before being put into production. In this case, a user under the pseudonym JiaT75 initially made legitimate contributions to the tool, starting on February 6th, 2022, which helped gain the trust of the GitHub repository maintainers. It wasn’t until two years after the first contribution that this contributor added two malicious files, which acted as hidden backdoors within the tool’s test directory. These files, obfuscated and encrypted, are executed during the compilation process.
In summary, a Windows developer, surprised by a slight latency when using SSH, accidentally discovered a backdoor in a widely used Linux tool.
Currently, there are only theories regarding the identity of the individual or entity responsible, so we will not speculate further on this matter.
As of now, no exploitation of the vulnerability has been detected in the wild.