What is the Linux XZ Utils Backdoor Vulnerability?

Quick Definition: The Linux XZ Utils Backdoor was a critical vulnerability discovered in 2024 that would have given hackers open access to most servers connected to the internet.

Go watch your favorite movie that includes a hacker – it could be a heist movie, a thriller, or just the latest installment in the “Quite Quick and Irritated” franchise. At some point, the hacker will use a “backdoor” to access the “mainframe.” Backdoors are wildly popular in media – they hand-wave away technical details but let the audience feel like they know what’s going on. In reality, backdoors are real but much harder to find and exploit.

And yet, in Spring of 2024, a major Linux backdoor vulnerability was discovered. This is not an exaggeration: if it hadn’t been discovered and stopped, it probably would have been the most widespread, effective backdoor ever used. It has a few different names, but it’s generally called the XZ Utils Linux Backdoor, and it was years in the making. 

If it had gone unnoticed, in a short time, the hackers could have had full and open access to most servers connected to the internet (and that’s A LOT of servers). Let’s talk briefly about what happened, who discovered it, and what topics you can study if you want to understand it more deeply.

Linux XZ Utils Backdoor Vulnerability Explained

On March 29, 2024, a Microsoft software engineer named Andres Freund reported the backdoor. He had discovered a vulnerability in a specific Linux component called “XZ Utils.” The official designation of the vulnerability is CVE-2024-3094. 

Freund’s path to the discovery began when he noticed that using SSH was taking longer than it should (for context: “longer than it should” is a couple of milliseconds). Since the whole point of using SSH is that it’s meant to be the single most secure way to access devices remotely, weird delays logging in weren’t good signs.

We’re avoiding technical details, but Freund saw specifically that his SSH logins consumed too many CPU cycles and were throwing errors with Valgrind, a utility computers use to monitor computer memory. To make a long and technical story short, Freund pieced together different cases of SSH behaving strangely and used them to backtrack to a set of data compression tools called XZ Utils.

Freund discovered that XZ Utils had been intentionally modified with malicious code over the last three years. The changes were small and subtle, but when combined with other pieces of the Linux operating system, they would give a hacker essentially total access to an entire server. The backdoor was getting positioned to be included in versions of Linux that would have reached basically all modern internet-facing servers. 

Fortunately, the hackers’ puzzle pieces hadn’t all slid into place yet. Freund discovered the exploit while it was still being assembled. The government watchdog for such exploits, the National Institute of Standards and Technology (NIST), assigned “CVE-2024-3094” the highest possible vulnerability score of 10: Critical.

How Could One Linux Utility be so Powerful?

Remember, XZ Util is a tool for data compression. It’s extremely useful and very good at what it does. But it’s not something you’d normally think could take down banks, hospitals, or (maybe) entire countries. 

But modern technology isn’t one thing—it’s a tower of dependencies so old and complicated that most people don’t even know they exist. Sometimes, the whole house of cards rests on one piece of fundamental software that no one ever bothers to inspect. This XKCD comic comedically helps explain it: Dependency.

Linux is open source. The nature of open-source development is that virtually anyone can make updates that are public and open to scrutiny. Without hierarchical direction, this can mean millions and millions of changes in different projects, codebases, and utilities that eventually have to be taken for granted.

This is a good thing usually: rather than reinvent the wheel (and that “wheel” is the entire internet), software developers and engineers can just build on the shoulders of those who came before. But this vulnerability is a good example of potential downsides.

In the case of XZ Utils, don’t think of Freund as the so-called “random person in Nebraska,” as Randall Munroe of xkcd put it. Instead, it was a lone coder who had been maintaining XZ Utils as a hobby for years (the coder in this specific instance, Lasse Collin, had nothing to do with the malicious code). 

At one point, he’d even raised concerns about his ability to keep maintaining XZ Utils due to mental health and personal issues. He became the target of the hackers. They exploited the fact that he was the only overworked, unpaid person quietly maintaining an essential part of the entire Linux ecosystem.

In 2021, a GitHub user known as Jia Tan (GitHub user JiaT75) started “helping” with XZ Utils. Over three years, Jia Tan made subtle changes and updates to the application. Some were legitimate updates designed to make Jia Tan seem like an earnest open-source contributor. But some were laying the groundwork for the massive SSH backdoor that would be installed on every device that used XZ Utils.

In this case, very sophisticated, well-researched, careful hackers exploited the system's trust. They embedded the seeds of a massive vulnerability into one of the most commonly used, old parts of Linux. 

Learn More About the XZ Utils Backdoor

To learn more about this vulnerability, Evan Boehs wrote a timeline of events that focuses more on the hackers' tactics, rather than the Linux technicalities. And explainXKCD helps make sense of the technology architecture stack diagram mentioned earlier.

When it comes down to it, the fact that Freund noticed the strange behavior in the first place is incredibly good luck. Several things had to go right for him to spot the problem, and fortunately for the rest of us, they did. But there’s a more important message: he also had to be technically savvy enough to make sense of the unusual patterns while diligently debugging to uncover the true culprit.

If reading about Andres Freund excites you, a Linux development or cybersecurity career might suit you. What he uncovered and how he did it is the product of years of experience and technical expertise. Fully understanding what the XZ Utils was capable of and how it was created is only possible with deep familiarity with Linux, SSH, and many other dependencies.

The start of this journey is with a course on Linux. CBT Nuggets offers many online Linux courses that can take you from your current understanding of Linux to the next, no matter where you find yourself.

The LPI Linux Essentials is a broad tutorial on the OS. Want something that leads to a professional certification? The LPIC-1 and LPIC-2 courses are designed to prepare you for the beginner and intermediate Linux certs.

The other side of the coin is cybersecurity. CBT Nuggets has an extensive catalog of courses that can help you master all the hardware and software of a certain manufacturer (like Palo Alto) or earn certifications (like the ones from ISC2). They also have specialty courses that teach advanced skills, such as being a White Hat Hacker.

Want to try a CBT Nuggets course? Get a free 7-day trial.