Backdoor in upstream xz/liblzma

[TanvirOnGH]

Description

Backdoor in upstream xz/liblzma leading to ssh server compromise.

Info

CVE: CVE-2024-3094 Type: Backdoor Affects: xz-5.6.x Scope: openssh having a linked libsystemd

Solution/Mitigation

Do not use any of the affected versions of xz (xz-5.6.x).

References

0. https://tukaani.org/xz-backdoor/
1. https://www.openwall.com/lists/oss-security/2024/03/29/4
2. https://github.com/NixOS/nixpkgs/issues/300055
3. https://news.ycombinator.com/item?id=39865810
4. https://nvd.nist.gov/vuln/detail/CVE-2024-3094
5. https://github.com/advisories/GHSA-rxwq-x6h5-x525
6. https://github.com/NixOS/nixpkgs/issues/300055#issuecomment-2027690942
7. https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

[Kreyren]

NixOS reportedly not affected see discussion in https://matrix.to/#/#security-discuss:nixos.org

If you have a paranoid setup then consider: https://github.com/Kreyren/nixos-config/commit/3094dcaff60d3ac432a5a2ca76eb535d97d4c2bc

UPDATE: NixOS is reverting xz 5.4.6 -> 5.6.1 https://github.com/NixOS/nixpkgs/pull/300028 as they can't rule out that it's not affected

UPDATE: https://github.com/NixOS/nixpkgs/pull/300461

[Kreyren]

libarchive also considered affected: https://github.com/libarchive/libarchive/commits?author=JiaT75

See https://github.com/NixOS/nixpkgs/pull/300114

[Kreyren]

https://github.com/NixOS/nixpkgs/pull/300500

[Kreyren]

Might be useful: https://github.com/DarkKirb/nixos-config/pull/381/files

[TanvirOnGH]

Anthony Weems have been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so he patched his own key into the backdoor for testing.

https://github.com/amlweems/xzbot