SSH Library Compromised: Malicious Backdoor Discovered

— Sam Jacob Dec, 2, 2023

Cybeer Security Blogs >> Secrets In Code >> SSH Library Compromised

Malicious backdoor found in SSH libraries

On March 29th, it was reported that malicious code enabling unauthorized remote SSH access has been detected within XZ Utils, a widely used package present in major Linux distributions (The GitHub project originally hosted here is now suspended). 

Andres Freund, a principal software engineer at Microsoft, discovered the backdoor and reported it to Linux distributor Openwall on Friday morning.

Vulnerability Details:

The backdoor is found on liblzma, a package within XZ library that does lot of compression on the internet as part of OpenSSH. Malicious code hidden in the utility package creates a critical supply chain threat that potentially exposes SSH services to unauthorized access.

Malicious .m4 files added to the xz tarballs in version 5.6.0, which was released on Feb. 24, contained automake instructions for building the compression library liblzma that modified its functions to allow for unauthorized access.

These changes to liblzma can lead to sshd compromise due to many Linux distros incorporating libsystemd, which enables systemd notifications and is dependent on liblzma, into their OpenSSH implementations.

The added .m4 cmfiles were heavily obfuscated, apparently to hide their malicious function, and were added by a user who has been an active contributor to the xz project for two years.

CVE: The U.S. Cybersecurity & Infrastructure Security Agency (CISA) released an alert about the issue, which is tracked as CVE-2024-3094 and has a maximum CVSS score of 10, warning developers and users to downgrade xz to a safe version such as version 5.4.6 stable.

Who is affected by CVE-2024-3094?

Fortunately, the malicious code was discovered quickly and managed to infect only two of the most recent versions of the package, 5.6.0 and 5.6.1, which were released within the past month. Stable versions of most Linux distributions were not affected.

Fortunatley, XZ 5.6.0 and 5.6.1 have not yet been widely integrated by Linux distributions, and where they have, they are mostly in pre-release versions.”

The following distributions were affected by the attack – 


Affected Branches

Affected Packages




40, 41, Rawhide (active development)



Fedora 40 – Update to latest version (5.4.x).

Fedora 41 & Rawhide – Stop using immediately.



testing, unstable (sid), experimental

xz-utils 5.5.1alpha-0.1

(uploaded on 2024-02-01), up to and including 5.6.1-1

Update to latest version (5.6.1+really5.4.5-1)

No stable branches are affected


Edge (active development)

xz 5.6.1-r0, 5.6.1-r1

Update to latest version (5.6.1-r2)

No stable branches are affected



xz-utils 5.6.0-0.2

(Kali installations updated between March 26th to March 29th)

Update to latest version (5.6.1+really5.4.5-1)




xz-5.6.0, xz-5.6.1

Update to latest version (5.6.1.revertto5.4)


Arch Linux


xz 5.6.0-1

Update to latest version (5.6.1-2)



Check if your version of “xz” is one of the affected versions. Note that it is recommended to continuously scan your codebase to detect such vulnerabilities in open-source and third-party libraries.

Immediately downgrade your version of xz to an earlier version (5.4.6 is the latest unaffected version in most distributions).

  • Red Hat published an urgent security alert Friday, warning users to immediately stop using any instances of Fedora Rawhide due to a potential compromise through xz. The alert also recommends users downgrade Fedora Linux 40 to a version that uses XZ 5.4, although Red Hat reports that no Fedora Linux 40 builds have been shown to be compromised. Red Hat Enterprise Linux is not affected by any version.
  • Freund discovered the backdoor while testing the latest unstable distribution of Debian, and Debian’s security advisory confirms the compromised utility was included in its testing, unstable and experimental distributions. The advisory states the package has been reverted to version 5.4.5 and urges users to apply the update.
Blog by- SecIQ Security Research Team