Red Hat warns of backdoor in XZ tools used by most Linux distros – Source: www.bleepingcomputer.com

Today, Red Hat warned users to immediately stop using systems running Fedora development versions because of a backdoor found in the latest XZ Utils data compression tools and libraries.

“PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity,” Red Hat warned on Friday.

“No versions of Red Hat Enterprise Linux (RHEL) are affected. We have reports and evidence of the injections successfully building in xz 5.6.x versions built for Debian unstable (Sid).”

Debian developers also issued a security advisory warning users about the issue. The advisory says that no stable Debian versions are using the compromised packages and that XZ has been reverted to the upstream 5.4.5 code on affected Debian testing, unstable, and experimental distributions.

Microsoft software engineer Andres Freund discovered the security issue while analyzing a Postgres performance problem on a Linux box running Debian Sid (the rolling development version of the Debian distro).

He said he has not found the exact purpose of the malicious code added to XZ versions 5.6.0 and 5.6.1 over the last month.

“I have not yet analyzed precisely what is being checked for in the injected code, to allow unauthorized access,” Freund said. “Since this is running in a pre-authentication context, it seems likely to allow some form of access or other form of remote code execution.”

Red Hat reverts to XZ 5.4.x in Fedora Beta

Red Hat is now tracking this supply chain security vulnerability as CVE-2024-3094, assigned it a 10/10 critical severity score, and reverted to 5.4.x versions of XZ in Fedora 40 beta.

The malicious code is obfuscated and can only be found in the complete download package, not in the Git distribution, which lacks the M4 macro, which triggers the backdoor build process.

If the malicious macro is present, the second-stage artifacts found in the Git repository are injected during the build time.

“The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access,” Red Hat said.

“Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.”

CISA also published an advisory today warning developers and users to downgrade to an uncompromised version (i.e. 5.4.6 Stable) and to hunt for any malicious or suspicious activity on their systems.