Embedded Malicious Code Affecting liblzma-sys package, versions <0.3.2

liblzma-sys is a raw bindings to liblzma which contains an implementation of LZMA and xz stream encoding/decoding.

Affected versions of this package are vulnerable to Embedded Malicious Code in the form of malicious .m4 files in the tarball distributions (which have since been taken down). These malicious build files contain build instructions not present in the upstream repository (https://git.tukaani.org/). The instructions execute a prebuilt object file from one of the tests archives during the build process of the liblzma package. The files mainly containing the obfuscated code are:

• tests/files/bad-3-corrupt_lzma2.xz
• tests/files/good-large_compressed.lzma

The malicious tests files were committed upstream, but due to the malicious build instructions not being present in the upstream repository, they were never called or executed.

Specifically, degradation or interruption to the performance of sshd has been observed, and that or other processes may allow unauthenticated remote code execution.

The currently known conditions to enable this backdoor are:

• xz / liblzma is built for amd64 / x86_64 architecture.
• Build toolchain uses glibc (for the IFUNC resolver functionality).
• The package is built for .deb or .rpm based Linux distros.
• Out of those distros, the payload activates if the running process is /usr/sbin/sshd and uses liblzma.

Current mitigations:

Tarballs signed by Lasse Collin are not infected, and lower versions, including 5.4.5 and 5.4.6, are confirmed to be not affected. Downgrading to a safe version is strongly recommended. If you can't downgrade, you should disable public-facing SSH servers until you can downgrade.

Disclaimer

This vulnerability is undergoing further analysis, and the advisory will be updated accordingly.

• OSS Security Advisory
• Red Hat Bugzilla Bug
• Snyk Blog
• Vulnerability Advisory
• CISA Alert
• Nuclei Templates