CVE-2024-3094: Detecting the SSHD backdoor in XZ Utils

On March 29, 2024, a backdoor was discovered in the XZ Utils package, specifically affecting the liblzma library used by SSHD, a critical component of internet infrastructure related to remote access. The issue, identified as CVE-2024-3094, compromises SSHD authentication, allowing intruders potential access regardless of the authentication method. The malicious code, committed to the XZ Utils GitHub repository in February 2024, was obfuscated, making detection difficult. Linux distributions, particularly Fedora 41 and Fedora Rawhide, were the primary targets, as these include the compiled version of the compromised library. Detection of the malicious library is possible through vulnerability management solutions and runtime detection tools like Falco and the Sysdig Secure CNAPP Platform, which monitor for the loading of the backdoored library by SSHD. This incident highlights the growing prevalence of supply chain attacks and underscores the importance of runtime threat detection in maintaining the security of software supply chains.