TL;DR: Update immediately, especially if SSH is enabled. xz versions 5.6.0 & 5.6.1 are impacted. The article contains links to each distro’s specific instructions of what to do.
https://news.opensuse.org/2024/03/29/xz-backdoor/
Current research indicates that the backdoor is active in the SSH Daemon, allowing malicious actors to access systems where SSH is exposed to the internet.
In summary, the conditions for exploitation seem to be:
- xz version 5.6.0 or 5.6.1
- SSH with a patch that causes xz to be loaded
- SSH daemon enabled
Impact on distros
-
Arch Linux: Backdoor was present, but shouldn’t be able to activate. Updating is still strongly recommended.
-
Debian: Testing, Unstable, and Experimental are affected (update to
xz-utils
version5.6.1+really5.4.5-1
). Stable is not affected. -
Fedora: 41 is affected and should not be used. Fedora 40 may be affected (check the version of
xz
). Fedora 39 is not affected. -
FreeBSD: Not affected.
-
Kali: Affected.
-
NixOS: NixOS unstable has the backdoor, but it should not be able to activate. NixOS stable is not affected.
-
OpenSUSE: Tumbleweed and MicroOS are affected. Update to
liblzma5
version5.6.1.revertto5.4
. Leap is not affected.
- youRFate ( @youRFate@feddit.de ) 25•8 months ago
FYI: if you run freebsd you are not affected: https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
Took me a while to find out so I thought I’d share.
Thanks, edited this into the post (along with the distros listed by LWN)
- viking ( @viking@beehaw.org ) 14•8 months ago
The story about this backdoor is really wild if it’s true https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
- flatbield ( @furrowsofar@beehaw.org ) English8•8 months ago
Why ssh? Does ssh use xz?
- jack ( @jack@monero.town ) 14•8 months ago
Ssh uses systemd and systemd uses lzma (xz)
- Admiral Patrick ( @ptz@dubvee.org ) English12•8 months ago
Not directly, but it’s often integrated with systemd which does.
What may not be clear is the connection to SSH. And it’s a trip. Many Linux distros patch sshd to add systemd features, and libsystemd pulls the liblzma library. That means the liblzma initialization code gets run when sshd starts.
https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/
- outbound ( @outbound@lemmy.ca ) 4•8 months ago
Yes. ssh’s RSA encryption uses liblzm.
- Kissaki ( @Kissaki@beehaw.org ) English6•8 months ago
This analysis has some technical information on how it injects itself, conditionally, into deb and rpm from src tar.
- jarfil ( @jarfil@beehaw.org ) 3•8 months ago
Holy c… that’s quite a writeup, and what a rat’s nest of an exploit. A long time ago, I used to know some reverse engineering, then I got an
eval $zrKcTy
to the got.plt.Wonder what it turns out to have been doing.
- Gamers_Mate ( @Gamers_Mate@kbin.social ) 6•8 months ago
Im new to Linux does this include linux mint since it is based on Debian?
- termus ( @termus@beehaw.org ) English11•8 months ago
Likely not since most of these are dev or experimental of the latest version.
Check xz --version
If you’re not on the two listed above you’re fine.
As far as I can tell running xz directly should be fine, but for the extra paranoid check the version of the
xz-utils
package. If it is safe, it will be either less than5.6.0
, or it should be5.6.1+really5.4.5-1
(xz5.4.5
with a spoof version number to ensure compromised systems get the update).- Gamers_Mate ( @Gamers_Mate@kbin.social ) 3•8 months ago
awesome thanks I did (xz --version) to check and it is using an unaffected version.
- jarfil ( @jarfil@beehaw.org ) 1•8 months ago
WSL2 2.1.5:
- (system) CBL-Mariner / Azure Linux: xz-libs 5.2.5-1.cm2
- Ubuntu 22.04.4 LTS: xz-utils 5.2.5-2ubuntu1
- Kali (rolling): Same fix as for Debian Testing (update to xz-utils version 5.6.1+really5.4.5-1)