After 2024-04-02 I am only adding important new discoveries (I come accross). There is just too much Blog and Video entries to keep track of.

Initial disclosure:

• https://www.openwall.com/lists/oss-security/2024/03/29/4
• Aka https://lwn.net/ml/oss-security/[email protected]/

CVE and Alerts

• https://github.com/advisories/GHSA-rxwq-x6h5-x525
• https://nvd.nist.gov/vuln/detail/CVE-2024-3094
• https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
• https://www.cisecurity.org/advisory/a-vulnerability-in-xz-utils-could-allow-for-remote-code-execution_2024-033

Media & Industry Coverage

• https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
• https://therecord.media/malicious-backdoor-code-linux-red-hat-cisa
• https://securityonline.info/cve-2024-3094-cvss-10-backdoor-flaw-discovered-in-popular-linux-compression-tool/?expand_article=1 (ad popup warning)
• https://www.phoronix.com/news/GitHub-Disables-XZ-Repo
• https://lwn.net/Articles/967180/
• https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/
• https://www.gamingonlinux.com/2024/03/xz-tools-and-libraries-compromised-with-a-critical-issue/
• https://linuxiac.com/the-upstream-xz-tarballs-have-been-backdoored/
• https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/
• (de) https://tarnkappe.info/artikel/linux/backdoor-in-openssh-server-gefunden-291281.html
• Low level Learning: situation breakdown https://youtu.be/jqjtNDtbDNI
• Low Level Learning: xz-bot demo https://youtu.be/vV_WdTBbww4
• https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/
• https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
• https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html
• (de) https://www.heise.de/news/Hintertuer-in-xz-Bibliothek-gefaehrdet-SSH-Verbindungen-9671317.html
• (de) https://www.heise.de/news/xz-Attacke-Hintertuer-entraetselt-weitere-Details-zu-betroffenen-Distros-9671588.html
• https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
• https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
• blog https://www.wiz.io/blog/cve-2024-3094-critical-rce-vulnerability-found-in-xz-utils
• Untitled Linux Show https://youtu.be/RL7_lRpgthY
• (de) https://www.derstandard.at/consent/tcf/story/3000000213960/wie-die-computerwelt-gerade-haarscharf-an-einer-sicherheitskatastrophe-vorbeigeschrammt-ist
• https://www.politico.com/news/2024/03/31/thwarted-supply-chain-hack-alarm-bells-00149877
• (es) https://amp.elmundo.es/tecnologia/2024/03/31/6609b448e85eceab538b4571.html
• (it) https://www.remoteitalia.com/blog/sicurezza-informatica/backdoor-in-xz-utils-allarme-sicurezza-per-linux/
• https://www.nodejs-security.com/blog/xz-backdoor-cve-2024-3094-javascript-perspective/
• https://snyk.io/blog/the-xz-backdoor-cve-2024-3094/
• https://www.schneier.com/blog/archives/2024/04/xz-utils-backdoor.html
• https://discu.eu/q/https://github.com/tukaani-project/xz
• preprint Paper https://arxiv.org/abs/2404.08987 (JKU.at)

Writeups

• History commits analysis https://news.ycombinator.com/item?id=39866936
• Author background https://www.mail-archive.com/[email protected]/msg00567.html
• History writeup https://boehs.org/node/everything-i-know-about-the-xz-backdoor
• social aspects https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
• counter intelligence needed https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
• https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd
• https://research.hisolutions.com/2024/04/xz-backdoor-eine-aufarbeitung/

Mitigations, Detection and Snakeoil

• https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh ⚠️
• checkscript2: https://github.com/FabioBaroni/CVE-2024-3094-checker/ ⚠️
• https://github.com/Neo23x0/signature-base/blob/master/yara/bkdr_xz_util_cve_2024_3094.yar
• https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/
• https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils
• https://www.runzero.com/blog/how-to-find-systems-impacted-by-cve-2024-3094-libxz-utils-with-runzero/
• ⚠️ Warning: it is not a good idea to execute a compromised binary with the -V flag or run ldd on it. The menuoned sceipts should not be executed on sensitive systems.
• notes, honeypot and exploit demo https://github.com/amlweems/xzbot
• upstream Debian patch to OpenSSH https://bugzilla.mindrot.org/show_bug.cgi?id=2641 (with less dependencies)
• binar.ly binary scanner: https://xz.fail/

Discussions

• https://news.ycombinator.com/item?id=39865810#39866275
• https://lobste.rs/s/uihyvs/backdoor_upstream_xz_liblzma_leading_ssh
• https://www.reddit.com/r/sysadmin/comments/1bqu3zx/backdoor_in_upstream_xzliblzma_leading_to_ssh/
• https://twitter.com/nickdothutton/status/1773829164392472741 (x discussion)
• https://discourse.ubuntu.com/t/xz-liblzma-security-update/43714
• Analysis https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
• commit timezone analysis https://x.com/birchb0y/status/1773871381890924872
• rc4 obfuscation https://x.com/nugxperience/status/1773906926503591970
• https://www.postgresql.org/message-id/CA%2BhUKGK4ZewHeVtnbBc_pbZRHZa6GyO%3DUpJ5XDmomA9Lf0xpkA%40mail.gmail.com
• early stages analysis https://gynvael.coldwind.pl/?lang=en&id=782
• https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b
• diagram https://x.com/fr0gger_/status/1774342248437813525
• diagram https://x.com/ctiyeewesley/status/1774478963408302529
• mastodon active posters https://infosec.exchange/@kpwn/112191917895132500
• timezones https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and
• fedora discussion, supply chain hardening: https://lwn.net/ml/fedora-devel/[email protected]/
• OpenSSH discussion, split into modules: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-April/041287.html
• similqr exploit tactic in fdroid: https://social.librem.one/@eighthave/112194828562355097
• https://research.swtch.com/xz-script
• xz unbanned on github (r/linux): https://www.reddit.com/r/linux/comments/1c0g8li/xz_utils_is_back_on_github_and_lasse_collin_has/
• systemd/systemd#32028

background research and evidence

• tukaani-project/xz#9
• tukaani-project/xz#95
• Backdoor line https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh#L40
• https://git.tukaani.org (untrusted, github mirrors are locked now) (backup: http://tmp.joeyh.name/xz-git-repository-for-analysis-backdoored.tar.gz fc739b4942130e0259c272b119108ccd9241943f73b115ef5fd16299d86054d0)
• Sus commits https://git.tukaani.org/?p=xz.git;a=search;pg=4;s=Jia+Tan;st=author
• Sus commits https://git.tukaani.org/?p=xz-java.git;a=search;s=Jia+Tan;st=author
• Sus mails https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417
• Sus commits libarchive/libarchive#1609
• Sus PR google/oss-fuzz#11587
• Sus PR https://github.com/keithn/seatest/pulls?q=author%3AJiat75+
• Sus https://play.clickhouse.com/play?user=play#U0VMRUNUICogRlJPTSBnaXRodWJfZXZlbnRzIFdIRVJFIGFjdG9yX2xvZ2luPSdKaWFUNzUnIE9SREVSIEJZIGZpbGVfdGltZSBERVND
• Sus https://play.clickhouse.com/play?user=play#U0VMRUNUIGNyZWF0ZWRfYXQsIGV2ZW50X3R5cGUsIGFjdG9yX2xvZ2luLCByZXBvX25hbWUsdGl0bGUsYWN0aW9uLCBzdWJzdHJpbmcoYm9keSwgMSwgMjAwKSBhcyBib2R5X3RydW5jYXRlZCAgRlJPTSBnaXRodWJfZXZlbnRzIFdIRVJFIGZpbGVfdGltZSA+IG5vdygpIC0gSU5URVJWQUwgNjAgREFZIEFORCBldmVudF90eXBlPSdQdWxsUmVxdWVzdEV2ZW50JyBBTkQgdGl0bGUgSUxJS0UgJyU1LjYlJyBBTkQgdGl0bGUgSUxJS0UgJyV4eiUnIEFORCBib2R5IE5PVCBJTElLRSAnJVNueWslJyBhbmQgYm9keSBub3QgaWxpa2UgJyVDVkUtMjAyNC0zMDk0JScgYW5kIHRpdGxlIG5vdCBpbGlrZSAnJWRvd25ncmFkZSUnIE9SREVSIEJZIGZpbGVfdGltZSBERVNDIExJTUlUIDEwMA==
• Sus bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
• Sus embed kernel maintainer https://lore.kernel.org/lkml/[email protected]/
• a fix commit https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00
• NOBUS type backdoor https://en.wikipedia.org/wiki/NOBUS
• address in range reversed https://x.com/bl4sty/status/1775299293139575048
• libarchive in windows https://cyberplace.social/@GossiTheDog/112208807973499815
• "the other author suddenly disappeared" https://github.com/tukaani-project/xz/commit/77a294d98a9d2d48f7e4ac273711518bf689f5c4
• liblzma was removed, creating urgency systemd/systemd#31550

Vendor Responses

Upstream statement https://tukaani.org/xz-backdoor/

• QubesOS/qubes-issues#9067
• QubesOS/qubes-issues#9071
• https://news.opensuse.org/2024/03/29/xz-backdoor/
• https://archlinux.org/news/the-xz-package-has-been-backdoored/
• https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
• https://lists.debian.org/debian-security-announce/2024/msg00057.html
• google/oss-fuzz#11760
• https://aws.amazon.com/de/security/security-bulletins/AWS-2024-002/
• Homebrew/homebrew-core#167541
• https://github.com/orgs/Homebrew/discussions/5243
• https://www.kali.org/blog/about-the-xz-backdoor/
• https://infosec.exchange/@kalilinux/112180505434870941
• NixOS/nixpkgs#300028
• https://security.gentoo.org/glsa/202403-04
• https://bugs.gentoo.org/925415
• https://hardenedbsd.org/article/shawn-webb/2024-03-29/hardenedbsd-unaffected-cve-2024-3094-backdoor-xzlzma-560561
• https://x.com/clearlinux/status/1773866579828347276
• https://forum.openwrt.org/t/project-statement-about-xz-5-6-1-cve-2024-3094/193250
• https://github.com/termux/termux-packages/commit/4c6c0d0eb747afd886bf9d035667d98cb0fc4b8f
• https://ubuntu.com/security/CVE-2024-3094 (releases not affected)