SSH (via libxz) Backdoor Discovered

Malicious backdoor discovered in lib xz which compromises OpenSSH.

SSH (via libxz) Backdoor Discovered

A malicious backdoor has been discovered in the libxz compression library which is widely used in linux distributions. The supply chain attack results in compromising OpenSSH.

NVD - CVE-2024-3094

Fortunately, it appears to have been caught relatively early and most Linux distributions are not affected (still on earlier versions of libxz). Version 5.6 is affected. Earlier versions are not.  

The command

xz -V

will show which version is in use on your system. 

Worth running the same command on your Mac if you’re using homebrew also.

The vulnerability utilises a well obfuscated supply chain attack and the attack vector itself is very interesting. More details can be found here

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

or Low Level Learning has an interesting video on it if you prefer