Threat report: xz backdoor

A backdoored xz library included in Fedora 41 liblzma compromises SSH authentication (CVE-2024-3094).

Now that we’re beyond the jokes scattered around social media for April 1st and the dust has begun to settle around the latest supply chain compromise, we want to show you how Stairwell helped our customers with the xz library backdoor — and how we’ll continue to do so for the next similar threat, and the next one, and the one after that.

On March 29, 2024, a researcher discovered an intentional backdoor that had been placed into the xz library, which is used by OpenSSH through the lzma library. The backdoor targeted x86-64 builds of OpenSSH and allowed pre-authentication access to a compromised system. The compromised libraries were distributed in Fedora 41 but do not appear to have been included in other major distributions such as Redhat, Debian, or Ubuntu.

The Stairwell platform had detection for the xz backdoor initially via a YARA rule added by Silas Cutler as of Friday 2024-03-29T08:26Z. As Stairwell automatically collects, analyzes, and perpetually reanalyzes all interesting files in an environment, from this point forward, any Stairwell customer potentially affected by the backdoor knows exactly where and when this malicious code entered their environment. Equally important, if they were not affected, they have the evidence of absence — evidence that this threat is not in their environment — which they can provide to auditors, risk management, or their own management.

Image 1: A sample of a file with the backdoor uploaded to the Stairwell platform.

To enable our customers to automatically find and analyze indicators of compromise (IOCs) in their environment, the Stairwell team uploaded a Threat Report containing xz backdoor IOCs within the platform. This Threat Report will search across every single current and future file in your environment for the backdoor.

Unfortunately, as we all know too well, this is not a one-off scenario. Just as was seen with previous exploits and supply chain attacks like Log4j and 3CX, we are able to quickly keep your security team informed — helping to protect your organization now and into the future.

If you’re not a Stairwell user, detecting the backdoor manually remains an option via the xz_backdoor YARA rule or by identifying compromised liblzma binaries from the IOCs section below. However, with Stairwell, you’re not just reacting. The search and detection is fully automated and continuous, allowing you to stay ahead, fully informed, and more secure.

IOCs for xz backdoor


xz backdoor YARA rule

rule xz_backdoor
		author= "Silas Cutler"
		description = "Detection for backdoor in xz 5.6.1"
		ref = ""
		version = "0.1"
		$ = {f3 0f 1e fa 55 48 89 f5 4c 89 ce 53 89 fb 81 e7 00 00 00 80 48 83 ec 28 48 89 54 24 18 48 89 4c 24 10}
		all of them	
Mastering asset management
Mastering asset management
Mastering asset management
Learn how to master asset management within the Stairwell platform.