Red Hat said on Friday released an “urgent security alert” warning users of malicious code embedded in certain versions of XZ Utils, a popular set of data compression software tools. Certain Fedora Linux distribution versions may be impacted, and Red Hat urged customers to immediately stop using Fedora Rawhide instances for work or personal activity.
The malicious code (which is being tracked as CVE-2024-3094) is embedded in XZ Utils versions 5.6.0 and 5.6.1, and may allow unauthorized access to impacted systems. XZ is a data compression format that’s present in most Linux distributions, both for community projects and for commercial product distributions, which helps compress large file formats so that they can be shared.
The Friday alert from Red Hat warned that the packages are present in Fedora 41 and Fedora Rawhide within the Red Hat ecosystem. Red Hat said that Fedora Linux 40 users may have received version 5.6.0, depending on the timing of system updates, while Fedora Rawhide users may have received version 5.6.0 or 5.6.1.
“Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed,” according to Red Hat’s post. “At this time the Fedora Linux 40 builds have not been shown to be compromised. We believe the malicious code injection did not take effect in these builds. However, Fedora Linux 40 users should still downgrade to a 5.4 build to be safe.”
No versions of Red Hat Enterprise Linux are affected, said Red Hat, however “we have reports and evidence of the injections successfully building in xz 5.6.x versions built for Debian unstable (Sid). Other distributions may also be affected.”
According to a mailing list message from Debian developers on Friday, no Debian stable versions are known to be affected. However, compromised packages were part of the Debian testing, unstable and experimental distributions, and users running Debian testing and unstable are being urged to update the XZ Utils packages.
Red Hat said that the malicious code could, “under the right circumstances,” allow remote, malicious actors to break sshd authentication and gain unauthorized access to the entire impacted system.
“The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code,” according to Red Hat’s advisory. “The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present. The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access.”
CISA on Friday said it was responding to the reports of malicious code being embedded in XZ Utils along with the open source community.
“CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA,” according to CISA in a Friday alert.
Article Link: Red Hat, CISA Warn of XZ Utils Backdoor | Decipher