Back to Intelligence

CVE-2024-3094: Active Exploitation of XZ Utils 'Copy Fail' Backdoor — Detection and Remediation

SA
Security Arsenal Team
May 4, 2026
6 min read

The worst-case scenario for supply chain security has materialized. CISA has added CVE-2024-3094 to its Known Exploited Vulnerabilities (KEV) catalog following confirmation from Microsoft that active exploitation has begun. This is not a theoretical buffer overflow; it is a malicious backdoor intentionally inserted into the build process of the xz data compression library, widely used across Linux distributions.

This vulnerability, tracked as the 'Copy Fail' issue during its discovery, allows attackers to unauthorize access to SSH daemons on affected systems via a downstream library hook. Given the widespread use of liblzma in glibc-based Linux distributions interacting with systemd, the potential for lateral movement and persistence is catastrophic. Security teams must immediately identify and patch vulnerable instances.

Technical Analysis

CVE Identifier: CVE-2024-3094 CVSS Score: 10.0 (Critical) Affected Component: xz (XZ Utils) / liblzma Affected Versions: 5.6.0 and 5.6.1

The Vulnerability

This is a supply-chain compromise. A threat actor maintained the xz project and committed obfuscated test files that, during the build process, modify the resulting liblzma shared library. The backdoor specifically targets the sshd service on systems using glibc and systemd.

Attack Chain

  1. Initial Compromise: The attacker commits malicious code to the upstream xz repository (versions 5.6.0/5.6.1).
  2. Ingestion: Linux distributions incorporate these versions into testing/unstable repositories (e.g., Debian Sid, Fedora 41+, Kali).
  3. Execution: When sshd starts, it loads liblzma. The backdroored library intercepts the RSA_public_encrypt function.
  4. Authentication Bypass: The code checks for a specific Ed448 key in the SSH handshake. If present, it allows remote code execution (RCE) before authentication, effectively bypassing the secure shell login prompt.

Exploitation Status

Microsoft has observed limited, targeted exploitation associated with proof-of-concept (PoC) testing turning into active attacks. The inclusion in the CISA KEV list confirms that federal agencies and critical infrastructure partners are required to patch immediately.

Detection & Response

Detecting this vulnerability requires identifying the presence of the vulnerable library versions or the specific malicious test files left on the filesystem. The following rules and queries are designed to hunt for these indicators without triggering excessive noise in standard environments.

YAML
---
title: Potential XZ Utils Backdoor Vulnerable Version Detected
id: 1a2b3c4d-5e6f-7890-1a2b-3c4d5e6f7890
status: experimental
description: Detects systems running the backdoored versions of XZ Utils (5.6.0 or 5.6.1) based on command line checks.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2024-3094
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2024/04/02
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: process_creation
  product: linux
detection:
  selection:\    Image|endswith: '/xz'
    CommandLine|contains:
      - '--version'
    CommandLine|contains|all:
      - '5.6.0'
      - '5.6.1'
  condition: selection
falsepositives:
  - Legitimate testing of xz utilities (rare in production)
level: critical
---
title: XZ Utils Malicious Test File Creation Access
id: 2b3c4d5e-6f78-901a-2b3c-4d5e6f789012
status: experimental
description: Detects file access events associated with the known malicious test files injected in XZ Utils 5.6.0/5.6.1 build process.
references:
  - https://github.com/tukaani-project/xz/releases
author: Security Arsenal
date: 2024/04/02
tags:
  - attack.resource_development
  - attack.t1608
logsource:
  product: linux
  category: file_access
detection:
  selection:\    TargetFilename|contains:
      - '/tests/files/bad-3-corrupt_lzma2.xz'
      - '/tests/files/good-large_compressed.lzma'
  condition: selection
falsepositives:
  - Developer machines building the xz package from source
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for Linux processes executing the vulnerable version of the xz utility, assuming Linux logs are forwarded via the Microsoft Defender for Endpoint or Syslog connector.

KQL — Microsoft Sentinel / Defender
// Hunt for execution of vulnerable XZ Utils versions
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName has \"xz\"
| where ProcessCommandLine has \"--version\"
| where ProcessCommandLine has_any (\"5.6.0\", \"5.6.1\")
| project DeviceName, Timestamp, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of the backdoor on the endpoint by checking for the specific vulnerable library files and the presence of the obfuscated test files in the build directories.

VQL — Velociraptor
-- Hunt for XZ Utils Backdoor Indicators
SELECT
  FullPath,
  Size,
  ModTime,
  Mode
FROM glob(globs='/**/liblzma.so.5.6.0')
WHERE ModTime > '2024-02-01'

UNION ALL

SELECT
  FullPath,
  Size,
  ModTime,
  Mode
FROM glob(globs='/**/tests/files/bad-3-corrupt_lzma2.xz')

Remediation Script (Bash)

The following script assists in the identification and remediation of the vulnerability. It checks the installed version, removes the vulnerable packages, and restores the stable version.

Bash / Shell
#!/bin/bash

# CVE-2024-3094 Remediation Script
# Checks for vulnerable XZ Utils versions and attempts to update

LOG_FILE=\"/var/log/xz_remediation.log\"
echo \"Starting XZ Utils remediation check: $(date)\" | tee -a \"$LOG_FILE\"

# Function to check xz version
check_version() {
    if command -v xz &> /dev/null; then
        VERSION=$(xz --version | head -n 1 | grep -oP 'xz \\K[0-9.]+')
        echo \"Detected XZ Version: $VERSION\" | tee -a \"$LOG_FILE\"
        if [[ \"$VERSION\" == \"5.6.0\" ]] || [[ \"$VERSION\" == \"5.6.1\" ]]; then
            echo \"[ALERT] Vulnerable version $VERSION found.\" | tee -a \"$LOG_FILE\"
            return 1
        else
            echo \"[OK] Version $VERSION is not vulnerable.\" | tee -a \"$LOG_FILE\"
            return 0
        fi
    else
        echo \"[INFO] xz is not installed.\" | tee -a \"$LOG_FILE\"
        return 0
    fi
}

# Check for vulnerable library existence
check_libs() {
    echo \"Checking for vulnerable liblzma libraries...\" | tee -a \"$LOG_FILE\"
    if find /usr -name \"liblzma.so.5.6.0\" -o -name \"liblzma.so.5.6.1\" 2>/dev/null | grep -q .; then
        echo \"[ALERT] Vulnerable library file found.\" | tee -a \"$LOG_FILE\"
        return 1
    fi
    return 0
}

# Main execution
if check_version || check_libs; then
    echo \"No immediate action required based on version check.\" | tee -a \"$LOG_FILE\"
else
    echo \"Attempting remediation...\" | tee -a \"$LOG_FILE\"
    # Determine package manager
    if command -v apt-get &> /dev/null; then
        apt-get update
        # Force install stable version or downgrade
        apt-get install --only-upgrade -y xz-utils
    elif command -v yum &> /dev/null; then
        yum update -y xz
    elif command -v dnf &> /dev/null; then
        dnf upgrade -y xz
    elif command -v apk &> /dev/null; then
        apk add xz
    else
        echo \"[ERROR] No known package manager found. Please manually update XZ Utils to version 5.4.6 or later stable.\" | tee -a \"$LOG_FILE\"
        exit 1
    fi
    
    echo \"Remediation attempt complete. Re-run check to verify.\" | tee -a \"$LOG_FILE\"
fi

echo \"Remediation script finished: $(date)\" | tee -a \"$LOG_FILE\"

Remediation

  1. Immediate Patching: Update xz to the latest stable version immediately. Downgrading to version 5.4.6 is the safest immediate course of action if your distribution's repository currently holds the vulnerable 5.6.x versions.
  2. Distribution Actions: Major distributions have released emergency updates:
    • Red Hat / Fedora: Downgrade to xz-5.4.x.
    • Debian: xz-utils version 5.4.6-1.1 or higher.
    • Ubuntu: Updates released for Ubuntu 24.04 LTS (Noble) and others.
  3. Restart Services: After updating, you must restart the SSH daemon to unload the compromised library from memory:
    • sudo systemctl restart sshd (RHEL/CentOS/Fedora)
    • sudo systemctl restart ssh (Debian/Ubuntu)
  4. Investigate Compromise: If your system was running a vulnerable version, assume potential compromise. Investigate SSH logs for unauthorized access, audit root and systemd-user login history, and consider rotating all SSH keys and credentials.
  5. CISA Deadline: According to CISA Binding Operational Directive (BOD) 22-01, federal agencies have 3 days (by April 5, 2024) to remediate this vulnerability. Private sector organizations should treat this timeline as the gold standard for critical infrastructure.

Official Advisories:

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurecve-2024-3094linuxxz-utils

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action