CVE-2024-3094OWASP A03 · Software Supply Chain FailuresCWE-506 Embedded Malicious CodeCVSS 10.0 Critical
xz-utils — supply-chain backdoor (nearly an SSH RCE)
A trusted maintainer slipped a hidden backdoor into a core Linux compression library.
What happened
Over two years a patient actor earned maintainer trust on xz-utils, then landed obfuscated code (hidden in test fixtures) that hooked sshd via liblzma, enabling remote code execution for whoever held a private key. It was caught by luck — a Microsoft engineer noticed sshd was ~500ms slower — days before it hit stable distros used by millions of servers.
The code
✕ Vulnerable — Supply chain
# Trusting a dependency because it's 'official' and popular # build pulls the release tarball, runs its bundled build scripts, # and never diffs the tarball against the git tree it claims to match
✓ Fixed — Supply chain
# Pin + verify: hash-lock every dependency, build from source you can # reproduce, diff release tarballs vs the VCS tag, and minimize maintainer # trust (multiple reviewers, signed commits). Watch for anomalies (that 500ms). # For front-end CDN assets, use Subresource Integrity (SRI).
References
Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.