A vulnerability (CVE-2024-3094) in XZ Utils, the XZ format compression utilities included in most Linux distributions, may “enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely,” Red Hat warns.
The cause of the vulnerability is actually malicious code present in versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) of the xz libraries, which was accidentally found by Andres Freund, a PostgreSQL developer and software engineer at Microsoft.
“After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer: The upstream xz repository and the xz tarballs have been backdoored,” he shared via the oss-security mailing list.
About CVE-2024-3094
According to Red Hat, the malicious injection in the vulnerable versions of the libraries is obfuscated and only included in full in the download package.
“The Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present,” they added.
“The resulting malicious build interferes with authentication in sshd via systemd.”
The malicious script in the tarballs is obfuscated, as are the files containing the bulk of the exploit, so this is likely no accident.
“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system. Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the “fixes” [for errors caused by the injected code in v5.6.0],” Freund commented
“Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by Linux distributions, and where they have, mostly in pre-release versions.”
Which distros are affected?
Red Hat says that the vulnerable packages are present in Fedora 41 and Fedora Rawhide, and have urged users of those distros to immediately stop using them.
“If you are using an affected distribution in a business setting, we encourage you to contact your information security team for next steps,” they said, and added that no versions of Red Hat Enterprise Linux (RHEL) are affected.
SUSE has released a fix for openSUSE users.
Debian says no stable versions of the distro are affected, but that compromised packages were part of the Debian testing, unstable and experimental distributions, and users of those should update the xz-utils packages.
“The malicious code found in the latest versions of the xz libraries show just how critical it is to have a vigilant and veteran Linux security team monitoring software supply chain channels,” Vincent Danen, VP, Product Security at Red Hat, told Help Net Security.
“Red Hat, along with CISA and other Linux distributions, were able to identify, assess and help remediate this potential threat before it posed a significant risk to the broader Linux community.”
CISA has advised developers and users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable) and to hunt for any malicious activity and report any positive findings to the agency.
UPDATE: Friday, March 29, 15:06 ET
Kali Linux announced that the impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability.