A backdoor has been identified in versions 5.6.0 and 5.6.1 of XZ Utils (assigned CVE-2024-3094), which under some conditions may allow SSH authentication bypass in specific versions of certain Linux distributions.
According to Wiz data, while XZ Utils itself is highly prevalent, only approximately 2% of cloud environments have instances with versions vulnerable to CVE-2024-3094.
Malicious code has been found in the XZ project's source packages, beginning with release 5.6.0. Through a series of complex obfuscations, a concealed test file within the source code is used during the liblzma compilation process to extract a precompiled object file. This file then alters particular functions within the liblzma code. Consequently, this results in a compromised liblzma library, which affects OpenSSH when it supports systemd notification. This is because libsystemd relies on lzma, and the backdoor can intercept and alter its data exchanges Specifically, certain Linux distributions use this library for SSH, and could therefore be vulnerable to remote authentication bypass.
The malicious code is obfuscated and can only be found in the complete download package, not in the Git distribution, which lacks the M4 macro, which triggers the backdoor build process. If the malicious macro is present, the second-stage artifacts found in the Git repository are injected during the build time.
The author of the malicious code (@JiaT75) reportedly also submitted code to the oss-fuzz project that may have specifically prevented this fuzzer from being able to detect the backdoor they planted in XZ Utils.