news/pages/01.blog/cve-2024-3094-xz-backdoor-starting-with-version-5-6-0/item.en.md

---
title: 'CVE-2024-3094 - xz/liblzma backdoor starting with version 5.6.0'
author: Dan
published: true
date: '30-03-2024 22:01'
taxonomy:
    category:
        - news
    tag:
        - vulnerabilities
        - backdoor
        - security
        - ssh
aura:
    author: dan
media_order: CVE-2024-3094.png
---

[backdoor in upstream xz/liblzma leading to ssh server compromise](https://www.openwall.com/lists/oss-security/2024/03/29/4)  
[CVE-2024-3094 Detail](https://nvd.nist.gov/vuln/detail/CVE-2024-3094)  
[Archlinux - The xz package has been backdoored](https://archlinux.org/news/the-xz-package-has-been-backdoored/)

All servers have already been updated and tested. Everything is fine.

If you use Arch, test it as follows:
```
ldd /usr/sbin/sshd | grep -e libsystemd -e liblzma
```

If ssh is linked with libsystemd/liblzma, as is the case with Debian, `libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0` and `liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5`, then you should take a closer look at this! Debian stable for example is running `5.4.1`, which is fine, if you have sid enabled you are most likely affected. Just check your distributions for any news regarding this vulnerability. `libsystemd` can be linked to `liblzma`. So if you only have `libsystemd`, be on the safe side and check your distribution for news there too.

There are also scripts to test your system that can give you a false alarm on Arch, such as https://raw.githubusercontent.com/cyclone-github/scripts/main/xz_cve-2024-3094-detect.sh .   
The latest version of Arch is 5.6.1-**2**, so still `5.6.1`, but without the security hole.

Have a good Easter
Dan
(Grav GitSync) Automatic Commit from dan 2024-03-30 23:41:55 +01:00			`---`
			`title: 'CVE-2024-3094 - xz/liblzma backdoor starting with version 5.6.0'`
			`author: Dan`
			`published: true`
			`date: '30-03-2024 22:01'`
			`taxonomy:`
			`category:`
			`- news`
			`tag:`
			`- vulnerabilities`
			`- backdoor`
			`- security`
			`- ssh`
			`aura:`
			`author: dan`
(Grav GitSync) Automatic Commit from dan 2024-03-30 23:42:09 +01:00			`media_order: CVE-2024-3094.png`
(Grav GitSync) Automatic Commit from dan 2024-03-30 23:41:55 +01:00			`---`

			`[backdoor in upstream xz/liblzma leading to ssh server compromise](https://www.openwall.com/lists/oss-security/2024/03/29/4)`
			`[CVE-2024-3094 Detail](https://nvd.nist.gov/vuln/detail/CVE-2024-3094)`
			`[Archlinux - The xz package has been backdoored](https://archlinux.org/news/the-xz-package-has-been-backdoored/)`

			`All servers have already been updated and tested. Everything is fine.`

			`If you use Arch, test it as follows:`
			```
			`ldd /usr/sbin/sshd \| grep -e libsystemd -e liblzma`
			```

			If ssh is linked with libsystemd/liblzma, as is the case with Debian, `libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0` and `liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5`, then you should take a closer look at this! Debian stable for example is running `5.4.1`, which is fine, if you have sid enabled you are most likely affected. Just check your distributions for any news regarding this vulnerability. `libsystemd` can be linked to `liblzma`. So if you only have `libsystemd`, be on the safe side and check your distribution for news there too.

			`There are also scripts to test your system that can give you a false alarm on Arch, such as https://raw.githubusercontent.com/cyclone-github/scripts/main/xz_cve-2024-3094-detect.sh .`
			The latest version of Arch is 5.6.1-2, so still `5.6.1`, but without the security hole.

			`Have a good Easter`
			`Dan`