The vulnerability stems from malicious code embedded in versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) of the xz libraries, inadvertently discovered by Andres Freund, a PostgreSQL developer and software engineer at Microsoft.
READ: OAS to Step in as Mediator in Guatemala’s Power Transition Crisis
Freund shared via the oss-security mailing list that he noticed unusual behavior in liblzma (part of the xz package) on Debian sid installations, such as high CPU usage during SSH logins and Valgrind errors, leading him to suspect foul play: “The upstream xz repository and the xz tarballs have been backdoored.”
About CVE-2024-3094
According to Red Hat, the malicious injection in the vulnerable library versions is obfuscated and fully included only in the download package.
“The Git distribution lacks the CVE-2024-3094 M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present,” they elaborated.“The resulting malicious build disrupts authentication in sshd via systemd.”The malicious script in the tarballs is obscured, as are the files containing the main exploit, indicating deliberate action.
“Considering the ongoing activity over several weeks, the committer is either directly complicit or their system has been severely compromised. Unfortunately, the latter seems less likely, given their communication on various lists about the “fixes” for errors caused by the injected code in v5.6.0,” Freund remarked.
“Fortunately, xz 5.6.0 and 5.6.1 have not been widely integrated into Linux distributions yet, and where they have, it’s mostly in pre-release versions.”
Affected Distributions
Red Hat warned that the vulnerable packages are found in Fedora 41 and Fedora Rawhide, urging users to cease their use immediately.
“If you are utilizing an affected distribution in a corporate environment, we recommend reaching out to your information security team for further guidance,” they advised, noting that no versions of Red Hat Enterprise Linux (RHEL) are impacted.
SUSE has issued a fix for openSUSE users.
Debian clarified that no stable versions of the distribution are affected. However, compromised packages were included in the Debian testing, unstable, and experimental distributions, prompting users of those versions to update the xz-utils packages.
“The discovery of malicious code in the recent versions of the xz libraries underscores the critical importance of maintaining a vigilant and experienced Linux security team to monitor software supply chain channels,” remarked Vincent Danen, VP of Product Security at Red Hat.
“Red Hat, in collaboration with CISA and other Linux distributions, successfully identified, evaluated, and aided in mitigating this potential threat before it posed a significant risk to the wider Linux community.”
CISA recommended developers and users revert to an uncompromised version of XZ Utils (e.g., XZ Utils 5.4.6 Stable) and conduct thorough checks for any malicious activity, reporting any findings to the agency.
-
-
-
-
