All about the xz-utils backdoor

As of 5:00 pm ET on March 29, 2024 the following information is accurate. Should there be updates to this situation, they will be edited onto this blog post.

The xz-utils package, starting from versions 5.6.0 to 5.6.1, was found to contain a backdoor (CVE-2024-3094). This backdoor could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized access to the entire system remotely.

With a library this widely used, the severity of this vulnerability poses a threat to the entire Linux ecosystem. Luckily, this issue was caught quickly so the impact was significantly less than it could have been. It has already been patched in Debian, and therefore, Kali Linux.

The impact of this vulnerability affected Kali between March 26th to March 29th, during which time xz-utils 5.6.0-0.2 was available. If you updated your Kali installation on or after March 26th, but before March 29th, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability.

Should you wish to check if you have the vulnerable version installed, we can perform the following command:

kali@kali:~$ apt-cache policy liblzma5  
 Installed: 5.4.5-0.3  
 Candidate: 5.6.1+really5.4.5-1  
 Version table:  
    5.6.1+really5.4.5-1 500  
       500 kali-rolling/main amd64 Packages  
*** 5.4.5-0.3 100  
       100 /var/lib/dpkg/status

If we see the version 5.6.0-0.2 next to Installed: then we must upgrade to the latest version, 5.6.1+really5.4.5-1. We can do this with the following commands:

kali@kali:~$ sudo apt update && sudo apt install -y --only-upgrade liblzma5

More information can be found at Help Net Security for a summarized post on the details of the vulnerability, Openwall for the initial disclosure, and NIST’s NVD entry for this vulnerability.