Beware! Backdoor Found in XZ Utilities Used by Many Linux Distros (CVE-2024-3094)
A vulnerability (CVE-2024-3094) has been discovered in XZ Utils, the XZ format compression utilities that are included in most Linux distributions. This vulnerability, as warned by Red Hat, may allow a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.
The cause of the vulnerability has been identified as malicious code present in versions 5.6.0 and 5.6.1 of the xz libraries. This code was accidentally found by Andres Freund, a PostgreSQL developer and software engineer at Microsoft. Freund shared his discovery via the oss-security mailing list after observing unusual symptoms around liblzma on Debian sid installations.
According to Red Hat, the malicious injection in the vulnerable versions of the libraries is obfuscated and only included in full in the download package. The Git distribution lacks the M4 macro that triggers the build of the malicious code, and the resulting malicious build interferes with authentication in sshd via systemd.
Freund commented that the activity over several weeks suggests that the committer is either directly involved or there was a severe compromise of their system. Fortunately, xz 5.6.0 and 5.6.1 have not yet widely been integrated by Linux distributions.
Red Hat has identified the vulnerable packages in Fedora 41 and Fedora Rawhide, urging users of those distros to immediately stop using them. They have also encouraged affected businesses to contact their information security team for next steps. However, no versions of Red Hat Enterprise Linux (RHEL) are affected. SUSE has released a fix for openSUSE users, and Debian has confirmed that no stable versions of the distro are affected. Compromised packages were part of the Debian testing, unstable, and experimental distributions, and users of those should update the xz-utils packages.
The discovery of malicious code in the latest versions of the xz libraries highlights the critical importance of maintaining vigilance and expertise in cybersecurity.