Red Hat on Friday released an "urgent security alert" warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.
The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).
"Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code," the IBM subsidiary said in an advisory.
"This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."
Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely "under the right circumstances."
"The end goal of the malicious backdoor introduced by CVE-2024-3094, is to inject code to the OpenSSH server (SSHD) that runs on the victim machine, and allow specific remote attackers (that own a specific private key) to send arbitrary payloads through SSH which will be executed before the authentication step, effectively hijacking the entire victim machine," JFrog said.
Microsoft engineer and PostgreSQL developer Andres Freund has been credited with discovering and reporting the issue on Friday. The heavily obfuscated malicious code is said to have been introduced over a series of source code commits to the Tukaani Project on GitHub by a user named Jia Tan (JiaT75).
"Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system," Freund said. "Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the 'fixes.'"
Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani Project "due to a violation of GitHub's terms of service." There are currently no reports of active exploitation in the wild.
Evidence shows that the packages are only present in Fedora 41 and Fedora Rawhide, and do not impact distros like Alpine Linux, Amazon Linux, Debian Stable, Gentoo Linux, Linux Mint, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise and Leap, and Ubuntu.
Out of an abundance of caution, Fedora Linux 40 users have been recommended to downgrade to a 5.4 build. Some of the other Linux distributions impacted by the supply chain attack are below -
- Arch Linux (installation medium 2024.03.01, virtual machine images 20240301.218094 and 20240315.221711, and container images created between and including 2024-02-24 and 2024-03-28)
- Kali Linux (between March 26 and 29)
- openSUSE Tumbleweed and openSUSE MicroOS (between March 7 and 28)
- Debian testing, unstable, and experimental versions (from 5.5.1alpha-0.1 to 5.6.1-1)
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert of its own, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable).
(The story was updated after publication to update the list of Linux distributions impacted by CVE-2024-3094.)