Backdoor in upstream xz/liblzma leading to SSH server compromise

After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian’s package, but it turns out to be upstream.

Andres Freund

I don’t normally report on security issues, but this is a big one not just because of the severity of the issue itself, but also because of its origins: it was created by and added to upstream xz/liblzma by a regular contributor of said project, and makes it possibly to bypass SSH encryption. It was discovered more or less by accident by Andres Freund.

I have not yet analyzed precisely what is being checked for in the injected code, to allow unauthorized access. Since this is running in a pre-authentication context, it seems likely to allow some form of access or other form of remote code execution.

Andres Freund

The exploit was only added to the release tarballs, and not present when taking the code off GitHub manually. Luckily for all of us, the exploit has only made it way to the most bloodiest of bleeding edge distributions, such as Fedora Rawhide 41 and Debian testing, unstable and experimental, and as such has not been widely spread just yet. Nobody seems to know quite yet what the ultimate intent of the exploit seems to be.

Of note: the person who added the compromising code was recently added as a Linux kernel maintainer.

19 Comments

  1. 2024-03-29 7:34 pm
  2. 2024-03-30 12:30 am
    • 2024-03-30 1:11 am
      • 2024-03-30 1:45 am
    • 2024-03-30 4:06 am
      • 2024-03-30 1:14 pm
  3. 2024-03-30 1:54 pm
  4. 2024-03-30 4:56 pm
    • 2024-03-30 6:50 pm
      • 2024-03-30 7:34 pm
        • 2024-03-30 8:13 pm
        • 2024-03-30 8:24 pm
      • 2024-03-30 8:10 pm
        • 2024-03-30 8:35 pm
          • 2024-03-30 9:33 pm
          • 2024-03-30 10:18 pm
          • 2024-03-31 1:30 am