Take Care! XZ Utilities: A Backdoor Detected and Used by Numerous Linux Distributions (CVE-2024-3094)
Be careful! A backdoor in XZ utilities has been found by several Linux distributions (CVE-2024-3094).
The majority of Linux distributions use the XZ utilities, which have a vulnerability (CVE-2024-3094) that Red Hat has said “may potentially enable a malicious actor to bypass sshd authentication and gain unauthorized access to the entire system.”
The vulnerability is caused by malicious code that was unintentionally found by Microsoft software engineer and PostgreSQL developer Andreas Fraynd in versions 5.6.0, which was issued at the end of February, and 5.6.1, which was released on March 9.
“In the past weeks, after observing some strange behaviors around libjzma (part of the XZ package) installations on Debian Sid (lots of CPU-intensive logins with SSH, weird Valgrind errors), I traced back: the upstream XZ repository and XZ tarball have been closed from the previous gates,” they announced on the OS-security mailing list.
Red Hat claims that the injection vulnerabilities in earlier library versions of CVE-2024-3094 are ambiguous and are only completely included in the download package.
Malicious code construction is triggered by the absence of an M4 macro in the Git distribution. They said that during build time, second-stage craft insertion is possible in Git repositories due to the existence of a malicious M4 macro.
“As a result, the vulnerable build system intervenes in SSHD authentication,” they stated.
There may not be an incident because the vulnerability script in the tarball is ambiguous and mentions obfuscated files in huge volumes.
“Committers are either directly participating or their systems have been seriously compromised, based on the behavior of the last few weeks. They have discussed the ‘solutions’ [for problems caused by inserted code in v5.6.0] on multiple threads, so sadly, it doesn’t seem like the response will provide much clarity,” Fraynd remarked.
Thankfully, Linux distributions haven’t fully embraced xz 5.6.0 and 5.6.1 yet, with their integration mainly limited to earlier versions in those instances.
What distributions are impacted?
Red Hat warns that Fedora 41 and Fedora Rawhide include vulnerable package feeds and advises users to stop using these distributions right away.
Red Hat Enterprise Linux (RHEL) is unaffected. “If you are using an affected distribution in a professional setting, we encourage you to contact your information security team for next steps,” the statement reads.
Users of openSUSE now have a solution from SUSE.
Debian warns users to upgrade the xz-utils package and notes that no stable version of the distribution has been impacted. Compromised packages were present in the testing, unstable, and experimental releases of Debian.
Red Hat’s product security lead, Vincent Danen, stated to Help Net Security, “The discovery of malicious code in the latest versions of XZ utilities underscores how crucial it is to have a vigilant and experienced Linux security team monitoring software supply chain channels.”
Before it posed a serious concern, Red Hat, CI/CSAE, and other Linux distributions were able to recognize, evaluate, and lessen this possible harm to the larger Linux community,” he continued.
Developers and consumers have been urged by CI/CSAE to downgrade XZ utilities to a version that is unaffected (such as XZ utilities 5.4.6 stable), look for any malicious activity, and report any positive findings to the organization.