Info on the xc backdoor
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://tukaani.org/xz-backdoor/
Kostas on Twitter posted a helpful one-liner to check the xz version without running the actual command.
https://twitter.com/kostastsale/status/1773890846250926445
Versions 5.6.0 and 5.6.1 are backdoored.
Bash one liner
The following Bash commands were taken and modified from the above Twitter link
Here is a one liner that will check the version of xz binaries and return if they are safe or vulnerable. You’ll need to run this in a Bash shell. May have issues in sh.
for xz_p in $(type -a xz | awk '{print $NF}' ); do if ( strings "$xz_p" | grep "xz (XZ Utils)" | grep '5.6.0\|5.6.1' ); then echo $xz_p Vulnerable; else echo $xz_p Safe ; fi ; done
Ansible Playbooks
Here are two different Ansible Playbooks to check if the xz package(s) are backdoored.
This one uses the above Bash commands to check the xz binaries.
Ansible Playbook to Check xz Backdoor--- - name: Check if XZ tools are compromised # https://twitter.com/kostastsale/status/1773890846250926445 hosts: all tasks: - name: Run Bash command shell : for xz_p in $(type -a xz | awk '{print $NF}' ); do if ( strings "$xz_p" | grep "xz (XZ Utils)" | grep '5.6.0\|5.6.1' ); then echo $xz_p Vulnerable!; else echo $xz_p Safe ; fi ; done args: executable: /bin/bash register: result - name: Show output ansible.builtin.debug: msg: "{{ result.stdout_lines }}"
The following playbook uses the package manager to check the xz version. On RHEL/Fedora this is the xc package. On Debian/Ubuntu, it is part of the liblzma5 package.
Ansible Playbook to Check xz Backdoor using package manager--- - name: Check if XZ tools are compromised hosts: all tasks: - name: Collect package info ansible.builtin.package_facts: manager: auto - name: Check if liblzma5 is vulnerable (Ubuntu/Debian) ansible.builtin.debug: msg: "Installed version of liblzma5/xz: {{ ansible_facts.packages['liblzma5'] | map(attribute='version') | join(', ') }} Vulnerable!" when: ('liblzma5' in ansible_facts.packages) and (ansible_facts.packages['liblzma5'][0].version.split('-')[0] is version('5.6.0', '==') or ansible_facts.packages['liblzma5'][0].version.split('-')[0] is version('5.6.1', '==')) - name: Check if xz is vulnerable (RHEL/Fedora/Rocky/Alma) ansible.builtin.debug: msg: "Installed version of xz: {{ ansible_facts.packages['xz'] | map(attribute='version') | join(', ') }} is vulnerable" when: ('xz' in ansible_facts.packages) and (ansible_facts.packages['xz'][0].version is version('5.6.0', '==') or ansible_facts.packages['xz'][0].version is version('5.6.1', '=='))