Microsoft employee accidentally saves global Linux meltdown from CVE-2024-3094 XZ backdoor

Today, Microsoft released its guidance and advisory regarding the XZ Utils backdoor vulnerability, which has been identified as CVE-2024-3094. This security flaw has a CVSS score of 10.0 and has the potential to impact a number of Linux distributions, including Fedora, Kali Linux, OpenSUSE, and Alpine, with significant global consequences.

Fortunately, Andres Freund, a Microsoft Linux developer, stumbled upon the vulnerability just in time. He had become curious about the 500 ms delay in SSH (Secure Shell) port connections and decided to investigate further, ultimately revealing a malicious backdoor hidden within the XZ file compressor.

At the current time, VirtusTotal has only identified four security vendors, including Microsoft, out of a total of 63, that are accurately detecting the exploit as malicious.

Therefore, the keen observation skills of the Microsoft engineer deserve recognition in this situation, as it is probable that others would not have taken the time to investigate. This event also emphasizes the vulnerability of open-source software to exploitation by malicious individuals.

If you are concerned, please be aware that versions 5.6.0 and 5.6.1 of XZ Utils have been compromised. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends using previous, secure versions.

In accordance with the recommended guidelines, users can confirm the presence of vulnerable software on a system by running the following command in SSH with administrator privileges:


xz --version

In addition, there are also available third-party scanning and detection tools. Security research firms Qualys and Binarly have made their own detection and scanner tools publicly available, allowing users to determine if their system has been affected.

The latest version of VULNSIGS, 2.6.15-6, has been released by Qualys, and the vulnerability has been identified as “379548”under the QID (Qualys Vulnerability Detection ID).

Additionally, Binarly has recently launched a complimentary XZ backdoor scanner. This tool is designed to identify any compromised versions of XZ Utils and will display a “XZ malicious implant”detection notification upon detection.

Additional technical information about the vulnerability can be found on both Binarly’s and Qualys’ websites. Both companies have published articles discussing the XZ Utils supply chain puzzle and the CVE-2024-3094 backdoor.