April 1, 2024

Malicious backdoor discovered in Linux utility

Updated 04/04/24


A malicious backdoor has been discovered in the compression utility xz Utils which allows bypassing SSH authentication and can result in complete compromise of a Linux host. This backdoor is currently only known to affect cutting-edge versions of major Linux distributions, but this may change as the situation evolves. 

If you are running any of the affected distributions it is urgent that you check the affected versions section below and follow remediation recommendations immediately. 

It is unknown how widespread the ultimate impact of this threat is and there may be repercussions that affect other operating systems and technologies, so all members of the UW community should follow the recommendations for good cyber hygiene in the next section. 

Recommendations for the UW community

  1. Keep computers, devices, and applications updated and patched.
  2. Avoid using beta, development, or cutting-edge versions of software; stick to stable, production versions (such as Ubuntu LTS, for example). 
  3. Review the summary info on this page, keep it bookmarked, and check back for updates. 

Recommendations for specific groups

End users

  • Wherever possible, ensure that automatic updates are turned on for all products.
  • Update affected products as soon as patches are released or implement any recommended workarounds until a patch is released.

System administrators, resource and service owners

  • Avoid using development versions of operating systems in production. Use versions which are designated “stable,” “production,” “LTS,” or similar.
  • Look for opportunities to improve your detection capabilities. As an organization, we need to work together to improve our ability to detect unusual or unauthorized behavior whenever prevention fails.
  • Work with your developers, separate your tasks, use virtual environments that can be isolated when testing, and don’t test in prod.


  • Use tools to check your dependency trees for vulnerabilities (e.g. OWASP dependency check, npm audit, pip audit, etc.).
  • It is important that any version you have deployed continues to have checks run against it since vulnerabilities may be found long after your build and deploy steps. Set up automated jobs to run those checks and report any issues on a repeating schedule.
  • It was a developer that originally found this vulnerability. When working with development packages be aware of potential symptoms of problems, such as increased memory or CPU usage, slower login times, etc.

Technical details

On March 29, a critical remote code execution vulnerability was found in a software dependency affecting multiple Linux distributions. The root cause of this vulnerability is malicious code inserted in the xz compression utility, which is a dependency of OpenSSH on many distributions. This code was discovered in a cutting-edge version of xz, only runs on specific machine environments, and allowed an attacker who is in possession of a specific cryptographic key to bypass authentication on the affected host. The backdoor code was inserted into xz builds released between March 26 and March 29.

The code in question was inserted by a developer account which has been an xz project contributor for several years. This fact, along with the sophistication and targeted nature of the code, suggests that a nation-state actor is involved. It cannot yet be assumed that we know the boundaries of this attack, but for now, the best information we have is that only development and cutting-edge versions of Debian, Fedora, OpenSuse, Kali, Alpine, and Arch Linux distributions are affected.

As of April 1, security researchers are continuing to scrutinize contributions to a number of other open-source projects from the developer and associated developers.

Affected versions and patches

At this time, the following are NOT believed to be affected (this may change): 

  • Red Hat Enterprise Linux
  • Ubuntu Linux
  • Amazon Linux
  • Wolfi
  • Gentoo

Affected versions as of 4/01/2024 (check back for updates):

Affected Linux distributions

    • Branches: Bookworm, Trixie, SID
    • Affected packages: xz-utils 5.5.1alpha-0.1 through 5.6.1-1
    • Remediation: Update to latest version (5.6.1+really5.4.5-1)

  • Branches: 40, 41, Rawhide
  • Affected packages: xz-5.6.0-*, xz-5.6.1-*
  • Remediation: FC40- Update (v 5.4.x). FC41 & Rawhide – Stop using immediately

  • Branches: Tumbleweed
  • Affected packages: xz-5.6.0, xz-5.6.1
  • Remediation: Update to latest version (5.6.1.revert to 5.4)

  • Branches: N/A
  • Affected packages: xz-utils 5.6.0-0.2
  • Remediation: Kali installations updated between March 26th to March 29th
    Update to latest version (5.6.1+really5.4.5-1)

  • Branches: Edge (active development)
  • Affected packages: xz 5.6.1-r0, 5.6.1-r1
  • Remediation: Update to latest version (5.6.1-r2)

  • Branches: N/A
  • Affected packages: xz 5.6.0-1
  • Remediation: Update to latest version (5.6.1-2)

Tools for detection