XZ Utils SSHd Backdoor CVE-2024-3094

In March 2024 details emerged regarding CVE-2024-3094 a vulnerability affecting the xz compression libraries in Linux distributions. The backdoor code was distributed to rolling distributions but specifically targeted systems like Debian and Fedora that patch their SSH daemon with liblzma. The initial compromise (version 5.6.0) allowed the injection of the backdoor into Debian and Fedora distributions. In the subsequent version (5.6.1) the attacker introduced more sophistication by enabling the execution of additional shell scripts during the build phase using binary test blobs. This was likely aimed at making future updates to the backdoor less conspicuous. The injection of malicious shell scripts occurs during the configure command execution modifying the Makefile to build and replace object files with infected counterparts. While the backdoors functionality remains consistent across both versions the methods for injecting and replacing object files differ providing insights into the actors motivations and long-term plans.