A backdoor was discovered in the xz compression utility commonly used in Linux distributions. Malicious code hidden in the utility package creates a critical supply chain threat that potentially exposes SSH services to unauthorized access.
Andres Freund, a principal software engineer at Microsoft, discovered the backdoor and reported it to Linux distributor Openwall Friday morning.
Malicious .m4 files added to the xz tarballs in version 5.6.0, which was released on Feb. 24, contained automake instructions for building the compression library liblzma that modified its functions to allow for unauthorized access.
These changes to liblzma can lead to sshd compromise due to many Linux distros incorporating libsystemd, which enables systemd notifications and is dependent on liblzma, into their OpenSSH implementations.
The added .m4 cmfiles were heavily obfuscated, apparently to hide their malicious function, and were added by a user who has been an active contributor to the xz project for two years.
“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system. Unfortunately, the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’ mentioned above,” Freund wrote in his report, referring to changes made to xz version 5.6.1 that aimed to fix valgrind and crashing errors that were likely caused by the backdoor itself.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) released an alert about the issue, which is tracked as CVE-2024-3094 and has a maximum CVSS score of 10, warning developers and users to downgrade xz to a safe version such as version 5.4.6 stable.
Freund noted, “Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux distributions, and where they have, mostly in pre-release versions.”
Red Hat published an urgent security alert Friday warning users to immediately stop using any instances of Fedora Rawhide due to potential compromise through xz. The alert also recommends users downgrade Fedora Linux 40 to version that uses xz 5.4, although Red Hat reports that no Fedora Linux 40 builds have been shown to be compromised. Red Hat Enterprise Linux is not affected in any version.
Freund discovered the backdoor while testing the latest unstable distribution of Debian and Debian’s security advisory confirms the compromised utility was included in its testing, unstable and experimental distributions. The advisory states the package has been reverted to version 5.4.5 and urges users to apply the update. Stable versions of Debian are not believed to be affected.
CVE-2024-3094 has also been reported to affect the HomeBrew package manager for macOS, according to Ars Technica, and Kali Linux, a distro provided by OffSec and designed for penetration testing, was confirmed to be affected between March 26 and March 29.
