Unpacking CVE-202 — What It

Secably Research
Jul 16, 2026
4 min read
Vulnerability Research
Cve Cve-202 Unpacking Vulnerability
Unpacking CVE-202 — What It
Unpacking CVE-202 — What It

Unpacking CVE-2024-3094

Unpacking CVE-2024-3094 reveals a critical supply chain attack targeting XZ Utils. This vulnerability, a backdoor hidden within liblzma, achieved a CVSS score of 10.0 (Critical). The malicious code affected XZ Utils versions 5.6.0 and 5.6.1. These versions were released on February 24, 2024, and March 9, 2024, respectively. The backdoor allowed unauthorized remote code execution, specifically through modified SSH authentication.

Technical Root Cause Analysis

The sophisticated attack involved injecting malicious code into the XZ Utils source tarballs, not directly into the git repository. Two specific files, `m4/build-to-host.m4` and `m4/locate-libs.m4`, were altered. These modified M4 macros then introduced obfuscated scripts during the build process. Specifically, the `build-to-host.m4` file contained a base64-encoded payload. This payload was designed to extract a hidden object file from a disguised test file. The object file, `bad-3-img.lzma`, was embedded within the source. The build system was manipulated to inject this malicious object file into `liblzma.la` and `liblzma.so`. The `locate-libs.m4` macro included logic that conditionally executed the payload. This execution occurred only when specific conditions were met, such as building on a Debian or RPM-based system. The conditions also checked for GCC and the `dpkg-buildpackage` or `rpmbuild` utilities. This setup ensured the backdoor activation only on target systems. The malicious code specifically targeted the `IFUNC` (Indirect Function) mechanism in glibc. It intercepted and modified the `RSA_public_decrypt` function from OpenSSL. This modification redirected SSH authentication attempts through the injected malicious code. The attacker gained the ability to execute arbitrary code on the compromised system.

Exploitation Mechanics

The backdoor did not activate universally. It required specific conditions for successful exploitation. The affected XZ Utils versions needed to be compiled with `systemd` and linked against the malicious `liblzma`. A public-facing SSH server running on the compromised system was also a prerequisite. The attacker would initiate an SSH connection to the vulnerable server. During the authentication phase, the injected code would intercept the `RSA_public_decrypt` calls. The malicious code could then process specific RSA signatures from the attacker. This allowed the attacker to bypass authentication and execute commands as the `sshd` user. The vulnerability provided a covert channel for remote arbitrary code execution. No public exploit code was released due to responsible disclosure practices. The focus remained on detection and remediation rather than weaponization.

Detection: How to Check if You're Affected

Checking for CVE-2024-3094 involves several steps. First, identify the XZ Utils version installed on your systems. Use your distribution's package manager.
dpkg -l | grep xz-utils
rpm -q xz-libs
If `xz-utils` or `xz-libs` versions 5.6.0 or 5.6.1 are present, immediate action is necessary. Next, examine the `liblzma` library for suspicious modifications. This involves checking the file size and checksum against known good versions. Look for the presence of the malicious `_get_cpuid` function within `liblzma.so`.
strings /usr/lib/x86_64-linux-gnu/liblzma.so.5 | grep "_get_cpuid"
The presence of this string is a strong indicator of compromise. You should also check the build logs of affected systems. Look for unusual commands or compiler flags that might indicate the malicious M4 macros were executed. Search for `build-to-host.m4` and `locate-libs.m4` in your build environment. Secably's free website vulnerability scanner can help identify outdated system components exposed to the internet. While not directly detecting this specific backdoor, it can highlight systems running vulnerable software. Our free port scanner can also identify public-facing SSH services, helping prioritize systems for inspection. For continuous monitoring, Secably offers paid plans starting at $19/month for proactive vulnerability scanning. You can learn more about Secably pricing on our website. External tools like Zondex can assist with internet-wide scanning to identify exposed services.

Remediation Steps

Immediate remediation is crucial if your systems are affected by CVE-2024-3094. The primary step is to downgrade XZ Utils to a known safe version. All installations of XZ Utils 5.6.0 and 5.6.1 must be replaced. Downgrade to version 5.4.x or earlier.
sudo apt update
sudo apt install xz-utils=5.4.1-0.2
For RPM-based systems, use:
sudo dnf downgrade xz-libs-5.4.1
Rebuild any software that dynamically links against `liblzma` after downgrading. This ensures the clean version of the library is used. Rebooting the system is also recommended to ensure all services restart with the clean library. If a compromise is confirmed, consider the system fully compromised. Initiate incident response procedures. This includes rotating credentials, re-imaging affected servers, and forensic analysis. Review SSH logs for unusual activity.

Timeline of Disclosure

The discovery of CVE-2024-3094 unfolded rapidly. On March 29, 2024, Andres Freund, a Microsoft engineer, publicly reported suspicious behavior. He observed slow SSH logins and high CPU usage on a Debian testing system. His investigation uncovered the malicious code within XZ Utils. The Openwall mailing list became the primary forum for initial discussions. Major Linux distributions, including Debian, Fedora, and openSUSE, quickly issued advisories. They urged users to downgrade or avoid the affected versions. The maintainer of XZ Utils, Jia Tan, was identified as the likely perpetrator. Jia Tan had gained maintainer access over several years. The backdoor was introduced through a series of commits over several months. This sophisticated attack highlighted the risks of supply chain compromises.

Check your site for vulnerabilities

Run a free security scan — no signup, results in seconds.

Related Posts

Stronger security starts with visibility.

Scan your website for vulnerabilities and get actionable insights.