All about the xz-utils backdoor
The xz-utils package, starting from versions 5.6.0 to 5.6.1, was found to contain a backdoor (CVE-2024-3094). This backdoor could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized access to the entire system remotely.
With a library this widely used, the severity of this vulnerability poses a threat to the entire Linux ecosystem. Luckily, this issue was caught quickly so the impact was significantly less than it could have been. It has already been patched in Debian, and therefore, Kali Linux.
The impact of this vulnerability affected Kali between March 26th to March 29th, during which time xz-utils 5.6.0-0.2 was available. If you updated your Kali installation on or after March 26th, but before March 29th, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability.
Should you wish to check if you have the vulnerable version installed, we can perform the following command:
kali@kali:~$ apt-cache policy liblzma5 liblzma5: Installed: 5.4.5-0.3 Candidate: 5.6.1+really5.4.5-1 Version table: 5.6.1+really5.4.5-1 500 500 http://kali.download/kali kali-rolling/main amd64 Packages *** 5.4.5-0.3 100 100 /var/lib/dpkg/statusIf we see the version
5.6.0-0.2next to Installed: then we must upgrade to the latest version,5.6.1+really5.4.5-1. We can do this with the following commands:kali@kali:~$ sudo apt update && sudo apt install -y --only-upgrade liblzma5 ... kali@kali:~$More information can be found at Help Net Security for a summarized post on the details of the vulnerability, Openwall for the initial disclosure, and NIST’s NVD entry for this vulnerability.
A vulnerability in Kali Linux, affecting xz-utils 5.6.0-0.2, was triggered between March 26th and 29th. Users who updated before March 29th should apply the latest updates, while those not updated before March 26th are unaffected.
