Security News
Sarah Gooding
Philipp Burckhardt
March 30, 2024
XZ utils, a package for data compression software used in nearly every Linux distribution, was found to be backdoored and may allow unauthorized access to affected systems.
This set off a number of urgent security alerts from CISA, RedHat, Kali Linux, and others. The malicious code is included in versions 5.6.0 and 5.6.1 of the xz libraries, and was discovered by PostgreSQL developer and committer Andres Freund.
From the GitHub Advisory Database:
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.
To find out which version you have installed, open a terminal and run the following command:
$ xz --version
xz (XZ Utils) 5.4.6
liblzma 5.4.6
In case of running 5.6.0 or 5.6.1, developers and users are strongly advised to downgrade XZ Utils to an uncompromised version such as XZ Utils 5.4.6 Stable. macOS users who have installed XZ Utils using Homebrew can downgrade to the latest non-malicious version by running the following command in their terminal:
brew upgrade xz
Linux users on Debian-based distributions such as Ubuntu can update XZ Utils via sudo apt-get update followed by sudo apt-get install --only-upgrade xz-utils.
Although this is technically an OS system-level dependency, it may also affect bundled application-level dependencies. It’s possible that npm, Python, Go, or other packages include the xz utils dependency bundled into a package, which could be another attack vector.
The easiest way to figure out who this affects is to determine what are the most popular xz dependencies are that exist in the ecosystem. The question to answer is whether the vulnerable version is bundled into this JavaScript library or is it merely linking to the library that’s already installed on the system.
As you can see in the example above, Socket has a "Native code" alert which indicates if a dependency contains naive code which could be a vector to obscure malicious code.
Below are some of the most popular packages that we have examined to make a determination about whether or not they are safe or affected. (We will keep updating this list as more information becomes available.)
Socket users can use the Dependency Search feature to search for these packages to determine if your organization is using them.
If you are a current Socket customer and you need more help finding out if you were affected, contact us and we will assist you.
If you’re not a Socket customer, you can install our free Socket for GitHub app in two clicks and follow these instructions to find out if your dependencies were affected.
5.6.1 was opened: https://github.com/jamespfennell/xz/pull/2 (safe because the PR was not merged)Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.