Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros

Red Hat's urgent security alert raised concerns about two versions of the XZ Utils data compression library, versions 5.6.0 and 5.6.1, which were found to be compromised with malicious code intended for unauthorized remote access. This attack, CVE-2024-3094 with a critical severity rating of 10.0 on the CVSS scale, targeted the liblzma build process and resulted in a modified library capable of intercepting and altering data interactions. Versions 5.6.0 and 5.6.1 of the libraries contain malicious code that modifies functions during the liblzma build process. Liblzma is a data compression library. Specifically, the nefarious code aimed to manipulate the sshd daemon process, part of the SSH system through systemd, potentially allowing threat actors to circumvent authentication and gain control over systems remotely. The vulnerability exposed a critical security risk, that ultimately grants attackers the ability to circumvent authentication protocols and access entire systems remotely. The malicious code found shows how critical it is for organizations to follow best practices, including avoiding the exposure of SSH directly to the internet and implementing additional security measures.

The discovery of this issue was credited to Microsoft engineer Andres Freund, who observed suspicious activity related to the compromised code on GitHub. The malicious code was introduced over a series of commits by a GitHub user named Jia Tan to the Tukaani Project's repository. This activity prompted GitHub to disable the affected repository due to a violation of its terms of service.

Security Officer Comments:
While there have been no reported exploits of this vulnerability in the wild, various Linux distributions have taken precautionary measures. Red Hat advised users to downgrade to a safe version of XZ Utils, while the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert recommending users mitigate risks associated with the compromised versions. Additionally, Linux distributions such as Fedora, Arch Linux, Kali Linux, openSUSE, and Debian have provided guidance on mitigating the impact of this supply chain attack, including downgrading to unaffected versions of XZ Utils.

Suggested Corrections:

  • for work or personal activity. Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed. Note that Fedora Rawhide is the development distribution of Fedora Linux, and serves as the basis for future Fedora Linux builds (in this case, the yet-to-be-released Fedora Linux 41). Current investigation indicates that the packages are only present in Fedora 40 and Fedora Rawhide within the Red Hat community ecosystem. No versions of Red Hat Enterprise Linux (RHEL) are affected.