Security 10809 Published by

A vulnerability in Kali Linux, affecting xz-utils 5.6.0-0.2, was triggered between March 26th and 29th. Users who updated before March 29th should apply the latest updates, while those not updated before March 26th are unaffected.



All about the xz-utils backdoor

The  xz-utils package, starting from versions 5.6.0 to 5.6.1, was found to  contain a backdoor (CVE-2024-3094). This backdoor could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized access to the entire system remotely.

With a library this widely used, the severity of this vulnerability poses a threat to the entire Linux ecosystem. Luckily, this issue was caught quickly so the impact was significantly less than it could have been. It has already been patched in Debian, and therefore, Kali Linux.

The impact of this vulnerability affected Kali between March 26th to March 29th, during which time  xz-utils 5.6.0-0.2 was available. If you updated your Kali installation on or after March 26th, but before March 29th, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability.

Should you wish to check if you have the vulnerable version installed, we can perform the following command:

kali@kali:~$ apt-cache policy liblzma5  
liblzma5:  
 Installed: 5.4.5-0.3  
 Candidate: 5.6.1+really5.4.5-1  
 Version table:  
    5.6.1+really5.4.5-1 500  
       500 http://kali.download/kali kali-rolling/main amd64 Packages  
*** 5.4.5-0.3 100  
       100 /var/lib/dpkg/status

If we see the version 5.6.0-0.2 next to Installed: then we must upgrade to the latest version, 5.6.1+really5.4.5-1. We can do this with the following commands:

kali@kali:~$ sudo apt update && sudo apt install -y --only-upgrade liblzma5
...
kali@kali:~$

More information can be found at  Help Net Security for a summarized post on the details of the vulnerability,  Openwall for the initial disclosure, and  NIST’s NVD entry for this vulnerability.

All about the xz-utils backdoor | Kali Linux Blog