The XZ utils backdoor, tracked as CVE-2024-3094, is the worst security vulnerability of 2024 so far. It has been assigned a base score of 10.0, the highest possible rating for a security vulnerability. It is a far-reaching attack that targets servers running the Linux operating system. These servers make up the most of the internet’s infrastructure.
Engineers and businesses worldwide have had to halt their regular operations to address this vulnerability and review and apply patches to their internal systems. This has been costly and time-consuming for many of them.
At MASV, we have been monitoring the situation attentively. Our systems remain unaffected. Our customers can continue using MASV without any disruptions. And those who have been affected or aren’t confident in their current file transfer solution can sign-up and make the switch to MASV today.
For more details on the XZ backdoor vulnerability and guidance on responding to such incidents, keep reading.
💡 Heads up: The fallout from this vulnerability is evolving. We will update this page as more information is released.
Table of Contents
Secure File Sharing With MASV
A secure file transfer service combining compliance & high-performance in one simple tool.
About the XZ Utils Backdoor
XZ is a popular compression utility used by many server operating systems. They depend on XZ for common, frequent IT tasks like managing software and system updates.
This vulnerability targets the Linux operating system. It uses XZ to take advantage of how Linux servers run the OpenSSH (sshd) service. Ironically, sshd itself is a trusted, industry-standard service to securely connect to a computer remotely. Normally, the sshd service requires remote users to provide authentication, like a password or authorization key. But if a server uses a specific version of the XZ utility and is configured to allow external access to sshd, then this backdoor gives an attacker access to the server’s internal systems without authentication. From there, an attacker can take full control.
Not only is this vulnerability intentionally malicious, it’s especially serious because its effect is so widespread. The world’s networking infrastructure mostly runs on Linux. Millions of servers worldwide could be affected just because they are running one of several popular Linux distributions.
Another concerning aspect of this vulnerability is:
- The way it was discovered
- The dedicated social engineering
First off, the vulnerability was set to wreack havoc if not for Andres Freund, an Engineer who discovered the threat by accident when investigating a latency issue caused by the backdoor. The latency in question? 500 milliseconds.
Second, this vulnerability wasn’t a chance encounter. It was a calculated, two-year plan where “Jia Tan” (the architect of the backdoor) methodically created a scenario to increase pressure on the administrator with bogus complaints and bug requests. The goal was for the admin to become overwhelmed and request maintenance assistance from the open source community, at which point Jia Tan swept in.
It’s reasonable to assume that there are similarly stealthy, undiscovered backdoors running right now on countless servers.
What You Should Do Now
If you’re self-hosting your file transfers and storage, you should act on this vulnerability immediately:
- Ensure that your IT administrators have a corrective plan in place to review and update on-premise servers that are affected.
- If your organization uses cloud services, check with these providers to see if they’ve released an official statement and, if needed, fixed this vulnerability.
- If your office has its own NAS server or other on-premise hardware, check with vendors for updates.
- Likewise, you should also check with other OS vendors, like Apple and Microsoft, to make sure your computer is not affected directly or indirectly.
- While self-hosted systems are being worked on, consider using an alternative solution. MASV is the best alternative, offering a turn-key and commitment-free option to maintain organization-wide productivity without compromising on performance. Sign-up here.
- Lastly, as the situation evolves, it’s wise to allocate additional budget for IT expenses to ensure continuous monitoring and updates as required.
What You Can Do From Now On
If your business self-hosts file transfers and storage, attacks like the XZ utils backdoor might be putting you especially at risk. You can protect your data by investing in good security practices:
- Regularly monitor your file server activity, especially for servers that give access to remote users.
- Train your staff to follow secure practices when using your servers.
- Audit the services, libraries, and other software running on your servers.
- Consider increasing your IT budget to support these security tasks.
- Consider migrating from self-hosted setups to cloud-based environments. They have dedicated teams monitoring their systems and can swiftly and uniformly apply patches in case of vulnerabilities.
Transfer Data Securely with MASV
If you’re a MASV user, your transfers and files are still safe. You probably noticed that there was no disruption from us because of this vulnerability:
- MASV Web App runs in your browser, and browsers don’t use sshd.
- MASV Desktop App does not use XZ and does not use sshd.
- The cloud infrastructure that MASV runs on is not affected.
- As part of its rigorous security practices, MASV configures its internal network servers to block external sshd access.
Nobody can be completely immune to security threats, but we keep security in mind at every step of MASV’s development, testing, and operation. We know that your business depends on protecting your intellectual property and hard work. And we know that your business might not have security experts on staff.
That’s why we’ve made the commitment to comply with ISO 27001 and SOC 2. And we’re on the vendor roster of the Trusted Partner Network (TPN). In fact, we’ve just graduated to Gold Shield status.
As for protecting your personal information, we also comply with the EU’s General Data Protection Regularion (GDPR) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
MASV is Serious About Security
We regularly cover topics in data security because we know that the XZ utils backdoor is only one way for attackers to take advantage of you.
Specifically, we’ve spoken in length about the pitfalls of self-hosting and why cloud environments are more secure, flexible, and cost-efficient.
For example, just last year, IBM’s Aspera servers were affected by CVE-2022-47986. This vulnerability was almost as severe as the XZ utils backdoor. Organizations with self-hosted Aspera servers had to divert IT resources to quickly react to it or risk getting hacked.
Then there are other threats besides supply chain attacks like the XZ utils backdoor. Businesses also have to devote resources for preventing attacks like phishing, malware and ransomware, and denial of service (DoS).
MASV Solves the Hard Problems of File Transfer
Self-hosting your file transfers definitely has advantages, but it comes with an additional cost for maintenance and security. MASV is the solution that reduces those costs so your business can focus on what it does best.
Once again, we’re seeing how hard it is to self-host fast, reliable, secure file transfers. MASV has the expertise and experience to solve these hard problems for you, including avoiding malicious attacks like the XZ utils backdoor.
Secure File Transfer
MASV encrypts files in-flight and at-rest. It’s also fast and reliable.