Breachwire.riscent

Breach report

The XZ Utils backdoor: a two-year social-engineering supply-chain attack

Web Application BreachesCritical (CVSS 10.0)CVE-2024-30942024-03
The bottom lineA malicious backdoor was patiently inserted into the xz/liblzma compression library by a long-trusted maintainer persona, designed to break sshd authentication and grant remote unauthorized access, scoring the maximum CVSS 10.0.
Category
Web Application Breaches
Type
CVE · Supply-chain backdoor
Date
2024-03
Severity
Critical (CVSS 10.0)
OWASP
Web A03 Software Supply Chain Failures
CWE / CVE
CWE-506 CVE-2024-3094

What happened

In late March 2024, a deliberately planted backdoor was discovered in XZ Utils, the compression tools and the underlying liblzma library shipped with virtually every Linux distribution. Tracked as CVE-2024-3094 with a maximum CVSS of 10.0, the malicious code was hidden in the distribution tarballs and activated only during builds on x86-64 Linux systems using gcc and the GNU linker. According to Red Hat, the compromised library could "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely."

Versions 5.6.0 and 5.6.1 were affected. A developer investigating unusual SSH latency traced the anomaly to liblzma and disclosed the backdoor on the oss-security mailing list, prompting an urgent call to stop using the compromised versions and downgrade to the 5.4.x line. Because the backdoored releases had not yet reached most stable distributions, widespread exploitation was narrowly avoided.

Root cause

This was embedded malicious code (CWE-506) delivered through the software supply chain. The attacker, operating under the handle "Jia Tan," spent a long period building trust as a co-maintainer before contributing the obfuscated payload. The malicious logic lived in the release tarballs rather than the visible source repository, so a casual reader of the Git history would not have seen it — the trust in a maintainer, not a coding mistake, was the vulnerability.

How it would have been caught

Reproducible builds that compare the release tarball against a build from clean source would have exposed the discrepancy immediately. Comparing shipped artifacts to committed source, and profiling the resulting binary's behavior, is exactly what surfaced this backdoor. A reproduction builds sshd against the poisoned liblzma and confirms the authentication bypass triggers for the attacker's key.

How to prevent it

  • Require reproducible builds and verify that released artifacts match a build from audited source.
  • Scrutinize the provenance of maintainers and the contents of tarballs, not just the visible commit history.
  • Pin and verify dependency hashes, and prefer building from source over consuming opaque prebuilt binaries where feasible.
  • Watch for behavioral anomalies (latency, unexpected syscalls) as a last-line detection.

The Breachwire test (red → green)

Build sshd against the backdoored liblzma 5.6.x and confirm that the attacker's crafted key bypasses authentication and grants remote access — the RED control. Rebuild against a clean 5.4.x release verified by hash, replay the same key, and confirm access is refused, while legitimate key-based logins still succeed.