RedHat issued an “urgent security alert” on Friday, warning that two versions of the popular data compression library XZ Utils (formerly LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote storage. Pick.
Software supply chain compromise, traced as CVE-2024-3094, a CVSS score of 10.0, indicating the highest severity. It affects XZ Utils versions 5.6.0 (released on February 24) and 5.6.1 (released on March 9).
“Through a complex series of obfuscations, the liblzma build process extracts pre-built target files from disguised test files present in the source code and then uses them to modify the liblzma code,” the IBM subsidiary said in an announcement. specific functions.”
“This results in a modified liblzma library that can be used by any software linked with the library to intercept and modify data interactions with the library.”
Specifically, the code contained malicious code designed to interfere with the sshd daemon for SSH (Secure Shell) via the systemd software suite, and could potentially enable threat actors to subvert sshd authentication and obtain remote access “under the following circumstances” Unauthorized access to the system: Correct situation. “
Microsoft security researcher Andres Freund is believed to have discovered and reported the issue on Friday. The heavily obfuscated malicious code is said to have been introduced by a user named JiaT75 through a series of four commits to the Tukaani project on GitHub.
“Given that the campaign lasted for several weeks, the committers were either directly involved or had some pretty serious damage to their systems,” Freund said. “It’s unfortunate, considering they were on various lists of ‘fixes’ ‘ communicated and the latter seems unlikely to be the explanation.”
Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani project “due to violation of GitHub’s terms of service.” There have been no reports of active use in the wild.
Evidence suggests that these packages only exist in Fedora 41 and Fedora Rawhide and do not affect Red Hat Enterprise Linux (RHEL), Debian Stable, Amazon Linux, and SUSE Linux Enterprise and Leap.
Out of an abundance of caution, Fedora Linux 40 users are advised to downgrade to version 5.4. Some other Linux distributions affected by supply chain attacks are as follows:
This development prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue its own alert urging users to downgrade XZ Utils to an unaffected version (e.g., XZ Utils 5.4.6 Stable).
