CVE-2024-3094: All Clear

Created by Justin W. Flory. CC BY-SA 4.0. Bob the Toucan used under fair use from the Tukaani project.

It’s official — CVE-2024-3094 is the “Backdoor in XZ Utils That Almost Happened“. Fortunately, the malware was detected before we released the compromised version as an official update. If you are using a Fedora Linux 38 or 39, or an up-to-date Fedora Linux 40 Beta, you should be all set, and the upcoming Fedora Linux 40 final release is not affected.

The XZ backdoor is a devious piece of work. It affects the SSH remote login protocol, which has a feature where users can be authenticated using a public-private key pair. The exploit sneaks a public key right into the allow-list, so someone out there with the corresponding key could log in to a compromised machine with full root access — without a trace. We have no evidence that the attackers ever got a chance to take advantage of this, but if the malware had slipped by undetected, it could have been devastating.

Fortunately, the plot was foiled by Andres Freund while doing volunteer work in his spare time. He noticed that there was a slight change in performance, and decided to investigate. One of my Fedora friends quoted John Denver: “What one man can do is change the world and make it work again! Here you see what one man can do.”

If you have a system with the Fedora Linux 40 Beta or Fedora Rawhide, and you applied updates during the time the compromised package was in our updates-testing repository, you should check to make sure that it is now reverted, and apply current updates if not. (You should have xz-5.4.6, as of this post.) On Fedora Workstation systems, the ssh daemon does not run by default, which additionally limits possible risk. However, if you did have the bad update on a system, or think you might have, we recommend a full reinstall out of an abundance of caution.

Fedora Linux 38 and 39 never had even a candidate update for the compromised package, and we pulled the test update for 40, so it was never merged into the release.

Fedora Project community For Developers For System Administrators Using Software

11 Comments

  1. null_pointer

    In the digital era, acts like this are cyberterrorism. Jia Tan, if that person exists as such, should be imprisoned.

    • Should Ken Thompson be thrown in jail for his backdoor in the C compiler that added a root password known only to him when compiling login.c ?

      In his case, he was the expert on call. One can only imagine nefarious motivations for Jia Tan, but jail is over used in Western society. E.g. in the Law of Moses, it was execution for capital crimes, or restitution for other crimes. We use prison as a substitute for execution – mainly because sometimes (way too often, in fact) the court gets it wrong and the wrong man is put to death. Prison for economic crimes is counter productive for all involved.

      So are the nefarious plans that we are imagining for Jia Tan a plot to kill people? To steal stuff? Maybe the sense of power just being able to log in to any openssh server in the world? Does that rise to level of the death penalty? (Or it’s prison substitute?)

      • Pawel

        Nobody cares about ‘law of moses’. Anyone who violates other people’s privacy must pay for it. I would start from Microsoft, Apple and NSA of course.

    • Actually, by nipping this exploit in the bud, we have probably saved the life of “Jia Tan”. IMO the most likely motivation is that governments pay good money for zero day exploits on the black market. These same governments tend to “off” the vendor when they want to ensure the exploit is not sold again to another client. (Not always – the market dries up if all the exploit vendors get “offed”.)

      I may be wrong, but I think bounty programs for verified exploits help mitigate the temptation of the black market. It may be less money than the black market, but your conscience doesn’t bother you, and is doesn’t result in fear of assassination by a state.

  2. hammerhead corvette

    I think as a community, We REALLY need to be more involved in the development of the tools we use. We need to support these projects with our time and donations.

    Hooray for Freedom. Hooray for Open Source

  3. Tomi

    Has xz-5.4.6 been stripped of all commits from Jia Tan or only the one triggering the backdoor that has been found.

    If not how confident are Fedora maintainers that there is no other backdoor in xz code from the +2years of commits from Jia Tan?

  4. W

    One concern I have is that we tend to review issues like this as individual packages and repos. But, that’s not how the world works. Our computers don’t use a single package. They used hundred of interconnected packages and libraries.

    It’s entirely possible something small was done in one to weaken it, or cause a chain reaction that could be taken advantage of in another, but wouldn’t be obvious if you looked at either one.

    I don’t have any solutions here, just thinking out loud, I guess.

  5. This is Linux’s “Guy Fawkes” moment. Disaster was foiled at the last minute.

    I wonder if we should (digitally) burn the effigy of Jia Tan every March 29th? Somehow “Remember Remember the 29th of March doesn’t quite roll off the tongue.

    • Pete Bremer

      Maybe this is our modern digital Ides of March, where we were all nearly stabbed in the back by a bad actor or actors.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions