xz Backdoor: What to Know + What to Do About the XZ Utils Vulnerability

The xz backdoor is a vulnerability in XZ Utils, a popular data compression library. The xz backdoor can let unauthorized users gain admin-level access to systems, endangering data security and much more.

Read on to learn more about the xz backdoor, who’s affected, and what you can do now to find out if your systems are at risk. 

What is xz Backdoor?

The xz backdoor is a vulnerability caused by malicious code hidden in XZ Utils, a widely used data compression library. The xz backdoor allows unauthorized individuals to remotely access and manipulate systems on which the compromised library is installed. Discovery of xz backdoor was announced on March 29, 2024.

The xz backdoor effectively creates an entry point into systems affected by it. The malicious code was introduced to XZ Utils versions 5.6.0 and 5.6.1. The National Institute of Standards and Technology has tracked the vulnerability as CVE-2024-3094 with a CVSS score of 10.0, indicating a critical vulnerability.

What Does the xz Backdoor Do?

The xz backdoor lets unauthorized users infiltrate and manipulate the SSH daemon process (sshd). That means attackers could execute arbitrary commands on the affected machine before the authentication step, effectively hijacking the entire system. 

The xz backdoor modified the way XZ Utils functions when performing compression and decompression tasks with lzma, a lossless compression algorithm. When those XZ Utils functions utilizing SSH are triggered, like when transferring or handling compressed files over SSH connections, the xz backdoor allows for malicious code to be executed with root privileges. A user with the predetermined encryption key could log into the compromised system via SSH, giving them authorized admin access to the entire system.

xz Backdoor Risks

While we haven’t heard of any confirmed reports of active exploitation of the xz backdoor, it presents the potential for a massive bypass of security authorization. The xz backdoor essentially creates a secret entry point into affected systems, presenting an obvious, severe security risk.

Puppet’s agent-based configuration managementdoesn’t rely on SSH to enforce consistent, secure configurations on managed nodes.

Learn more about agent vs. agentless security on our blog >>

Like any subversion of security protocol, the xz backdoor could theoretically lead to:

• Admin-level access by unauthorized users, including outside attackers
• Data exfiltration
• Data tampering
• Denial of service (DoS) attacks
• Persistent access to affected assets

Who's Affected by the xz Backdoor?

The malicious xz backdoor code was baked into XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9). While XZ Utils is available on most Linux distributions and other Unix-like operating systems (OSes), only certain Linux distributions are impacted by the xz backdoor vulnerability:

• Fedora 41 and Fedora Rawhide
• Alpine Linux
• Arch Linux (installation medium 2024.03.01, virtual machine images 20240301.218094 and 20240315.221711, and container images created between and including 2024-02-24 and 2024-03-28)
• Kali Linux (between March 26 and 29)
• openSUSE Tumbleweed and openSUSE MicroOS (between March 7 and 28)
• Debian testing, unstable, and experimental versions (from 5.en5.1alpha-0.1 to 5.6.1-1)

According to the Apache Software Foundation, no Java software dependencies are affected by the xz backdoor code.

Is Puppet Affected by the XZ Backdoor Vulnerability?

The Puppet team has investigated, assessed, and prioritized the impact of the XZ Utils vulnerability and determined that the Puppet product suite is not impacted by xz backdoor.

• RubyGems, a package manager used extensively by Puppet infrastructure and tooling, is not vulnerable to xz backdoor. An extensive audit by RubyGems.org revealed that no published Ruby gem contains the vulnerable liblzma library.
• Continuous Delivery for Puppet Enterprise does not use an affected version of XZ Utils and is not impacted by xz backdoor.

What to Do About the xz Backdoor

If you think you might be using the software versions listed above, there are a few ways to find out if you’ve been impacted and prevent further compromise:

• Check for affected software versions: If you’re running XZ Utils 5.6.0 or 5.6.1 on any of the above operating systems, you could be susceptible to the xz backdoor.
• Downgrade: Check with your OS vendor and the XZ Utils project site for a patch addressing the new backdoor. If no patch exists, downgrade to a non-compromised version of XZ Utils (e.g., 5.4.6 Stable).
• Review system logs: Keep an eye out for unauthorized access or suspicious activity in affected systems.

Using Puppet to Secure Against the xz Backdoor

Puppet automation and configuration management can be used to address the xz backdoor issue in a number of ways. With agent-based automation that doesn't rely on SSH, as well as the ability to automate deployment, configuration, and management of software, Puppet is capable of identifying specific vulnerabilities quickly and taking action across a large number of systems in enterprise IT. 

Read more about how a new module from the Puppet community is supporting xz backdoor remediation on our dev.to blog: “The internet is on fire again. This time it's XZ” >>

Here's how Puppet can be used to mitigate the xz backdoor vulnerability:

• Quickly identify affected systems: By querying your package management system or checking system configurations, Puppet can be used to detect affected versions of XZ Utils running across disparate systems.
  • The xzscanner module on the Puppet Forge was built for this specific purpose. It looks for a signature of the vulnerability on your system in the liblzma code.
• Automatically downgrade installs to a secure version of XZ Utils: By writing a Puppet manifest that specifies the desired package version, you can automate the process of downgrading the XZ Utils package to a secure version.
  • After Puppet has downgraded XZ Utils in your systems to remediate the vulnerability, Puppet will check regularly (every 30 minutes by default) to make sure no systems have reverted to the compromised versions. If it finds any, it’ll automatically reapply the downgrade to noncompliant systems.
• Keep an eye on security and compliance: Puppet keeps your systems in compliance with internal and external compliance policies – whatever you’ve defined as the desired state of your infrastructure. By consistently remediating vulnerable software configurations, Puppet makes sure the xz backdoor doesn’t affect your compliance posture.

Learn more about using Puppet automation and configuration management for security by contacting our team or starting a free trial of Puppet Enterprise today.

CONTACT PUPPET   TRY PUPPET ENTERPRISE

Head of Product Security Shellee Riverman and Principal Software Engineer Nick Burgan-Illig contributed to this article.