liblzma and xz version 5.6.0 and 5.6.1 are vulnerable to arbitrary code execution compromise

Published on , 433 words, 2 minutes to read

An image of A stop sign on a blue sky with the words 'security alert' underneath it
A stop sign on a blue sky with the words 'security alert' underneath it - Photo by Xe Iaso, EOS R10 with 135mm Super-Multi-Coated Takumar f/3.5

UPDATE(M03-29-2024 13:43-EDT): This is CVE-2024-3094.

This is a new situation and we are still gathering information. Here is what we know so far:

The xz/liblzma project has released versions 5.6.0 and 5.6.1.

The combination of this and patches made by some distributions to the interactions between liblzma, libsystemd, and sshd have resulted in a situation where an attacker can compromise a system by sending a malicious payload to an sshd server.

We are lucky. This only affects AMD64 Linux systems. Currently, incomplete analysis of the vulnerability suggests that this only targets a specific RSA function used in sshd. The exploit is in the wild. This is also a very new version of xz/liblzma, so it is not widely deployed yet. This is also unlikely to affect anything other than Glibc (because of glibc IFUNC support), so if you use musl or another libc implementation, you are likely safe.

If you are using a distribution that has not yet released xz 5.6.0 or 5.6.1, you are likely safe.

If you are running Debian sid, Fedora 40, Fedora Rawhide, openSUSE Tumbleweed, or openSUSE MicroOS, run updates now.

Here are the distros where it is likely to be released (according to repology):

If you are using one of these distributions, you should check to see if you are using xz version 5.6.0 or 5.6.1. If you are, you should downgrade to 5.4.6. If you can't downgrade, you should disable public-facing SSH servers until you can downgrade.

At this time, we believe that version 5.4.6 is not vulnerable to this exploit. If you are using a different version, you should check with your distribution's security mailing list to see if you are vulnerable. If you are not already subscribed to your distribution's security mailing list, you should do so now.

Here is how you can tell if you're running the affected version:

xz --version

Here is what the output on the vulnerable version looks like:

$ xz --version
xz (XZ Utils) 5.6.1
liblzma 5.6.1

Stay tuned for more information. Red Hat's security advisory may be helpful.

Special thanks to titanous for pre-vetting this before it went live.

Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.