Skip to main content
3SN3rd Stone Networks Logo
NewsMar 29, 20242 min read

XZ Utils Supply Chain Attack: A Backdoor in Plain Sight

A sophisticated supply chain attack inserted a backdoor into XZ Utils, a ubiquitous Linux compression library, nearly compromising major Linux distributions worldwide.

By 3SN Editorial
#XZ Utils#Supply Chain#Backdoor#Linux Security#Open Source
XZ Utils Supply Chain Attack: A Backdoor in Plain Sight
Supply Chain Security
Mar 29, 20243SN Newsroom

XZ Utils Supply Chain Attack: A Backdoor in Plain Sight

A sophisticated supply chain attack inserted a backdoor into XZ Utils, a ubiquitous Linux compression library, nearly compromising major Linux distributions worldwide.

XZ Utils Supply Chain Attack: A Backdoor in Plain Sight

TL;DR

  • A backdoor was discovered in XZ Utils versions 5.6.0 and 5.6.1, inserted through a sophisticated social engineering campaign targeting the project maintainer.
  • The backdoor could allow remote code execution on systems using the compromised library, particularly affecting SSH authentication through systemd integration.
  • The attack was caught by chance when a Microsoft engineer noticed unusual performance degradation, preventing what could have been a catastrophic supply chain compromise.

The short version

A backdoor nearly made it into one of the most fundamental libraries in Linux. XZ Utils is everywhere. It compresses and decompresses data for package managers, system tools, and countless applications. Attackers spent months gaining the trust of the project maintainer through a sophisticated social engineering campaign. They introduced obfuscated code that could compromise SSH authentication on affected systems. The attack was caught by accident when a Microsoft engineer noticed unusual CPU usage. If not for that chance observation, millions of systems worldwide could have been compromised for years.

Why this matters beyond a single product

This incident exposes the fragility of open source supply chains. Critical infrastructure often depends on libraries maintained by a single person working in their spare time. Attackers know this. They target maintainers who are overwhelmed, offering help that gradually becomes harmful. The XZ backdoor also demonstrates how sophisticated supply chain attacks have become. This was not a simple code injection. It was a long-term operation involving multiple personas, gradual trust building, and carefully obfuscated malicious code. The implications extend far beyond XZ. Every organization using open source software must consider: which of our dependencies could be targeted the same way? Do we know who maintains them? Are they adequately supported?

Practical next steps for teams

First, verify your XZ Utils version and update if needed. Most stable distributions were not affected, but check regardless. Second, use this incident as a catalyst to audit your open source dependencies. Identify critical libraries with single maintainers or insufficient support. Consider how you can contribute to their sustainability. Third, review your build and deployment processes. Reproducible builds, supply chain verification tools, and software bill of materials practices can help detect or prevent similar attacks. The goal is not to eliminate open source dependencies. It is to manage them with appropriate security rigor.

3SN perspective

Open source is not inherently insecure. But it does require investment. The XZ backdoor was possible because a critical project was under-resourced. We believe organizations that benefit from open source have a responsibility to contribute back, whether through funding, code contributions, or security review. Security is a shared responsibility across the ecosystem. When we strengthen the foundations, everyone benefits. This incident is a reminder that the code running our infrastructure deserves the same attention and resources as the products we sell.

What happened

On March 29, 2024, Microsoft engineer Andres Freund reported discovering a backdoor in XZ Utils, a widely used compression library present in nearly all Linux distributions. Investigation revealed that malicious code had been inserted into versions 5.6.0 and 5.6.1 through a months-long social engineering campaign. Attackers using the personas Jia Tan and others gained the trust of the project maintainer, who was overwhelmed with responsibilities. They gradually introduced obfuscated test files containing the backdoor, which was designed to compromise SSH authentication on systems using systemd. The backdoor could allow remote attackers to bypass authentication and execute code as root. The attack was discovered accidentally when Freund noticed SSH connections using more CPU than expected while benchmarking PostgreSQL.

Who’s affected

Organizations running vulnerable versions of XZ Utils (5.6.0 or 5.6.1), particularly those using distributions that had already integrated these versions such as Fedora Rawhide, Fedora 40 beta, and certain Arch Linux installations. Most stable enterprise distributions had not yet adopted the compromised versions. The potential impact was enormous: XZ Utils is a fundamental component used for compression across Linux systems, and the backdoor could have affected millions of systems if not discovered.

What to do now

  1. Verify your XZ Utils version and downgrade to 5.4.6 or upgrade to 5.6.2 or later if running vulnerable versions.
  2. Review systems for signs of compromise, including unusual SSH activity or unexpected processes.
  3. Audit your supply chain for similar risks: critical dependencies with single maintainers or insufficient code review.

Technical analysis

Mitigations & recommendations

critical

Update XZ Utils immediately

Ensure you are running XZ Utils version 5.4.6 or versions 5.6.2 and later. Downgrade or upgrade if running compromised versions 5.6.0 or 5.6.1.

critical

Audit for signs of compromise

Review SSH logs and system processes for unusual activity. Look for unexpected CPU usage during SSH connections or unknown processes.

high

Strengthen open source governance

Review critical dependencies for maintenance status, funding, and code review practices. Consider supporting projects with structural vulnerabilities like single maintainers.

medium

Implement reproducible builds

Use reproducible build processes to verify that compiled binaries match the source code, making it harder to insert malicious code during the build process.

References

Backdoor in upstream xz/liblzma leading to SSH server compromise
OpenWall OSS-Security2024-03-29
XZ Utils Backdoor CVE-2024-3094
CVE2024-03-29
CISA Alert: Supply Chain Compromise of XZ Utils
CISA2024-03-29

Related Articles

Explore more insights and updates from our security experts

SmarterMail Auth Bypass: When Password Reset Becomes Initial Access
Vulnerability Management
Feb 10, 20261 min read

SmarterMail Auth Bypass: When Password Reset Becomes Initial Access

CISA added a SmarterMail auth bypass to the KEV catalog after active exploitation. Here is what it means, how it works at a high level, and what to do first.

3rd Stone Networks
Read more
FortiCloud SSO Zero‑Day: When Identity Becomes the Blast Radius
Identity & Access
Feb 9, 20261 min read

FortiCloud SSO Zero‑Day: When Identity Becomes the Blast Radius

CSO Online reports Fortinet temporarily disabled FortiCloud SSO after a critical zero‑day. Here’s what that means for teams relying on centralized identity, plus practical next steps.

3rd Stone Networks
Read more
3SN Launches Enterprise Partnership Program: Expanding Security Excellence Through Channel Partners
Company Update
Nov 15, 20243 min read

3SN Launches Enterprise Partnership Program: Expanding Security Excellence Through Channel Partners

3SN announces its Enterprise Partnership Program, enabling resellers, MSPs, and technology partners to deliver 3SN security solutions to their customers.

3rd Stone Networks
Read more
View all news