Expert found a backdoor in XZ tools used many Linux distributions

Pierluigi Paganini March 30, 2024

Red Hat warns of a backdoor in XZ Utils data compression tools and libraries in Fedora development and experimental versions.

Red Hat urges users to immediately stop using systems running Fedora development and experimental versions because of a backdoor in the latest versions of the “xz” tools and libraries.

Red Hat Information Risk and Security and Red Hat Product Security determined that Fedora Linux 40 beta does use two versions of xz libraries – xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm that contains a malicious code that appears to be intended to allow unauthorized access. The experts added that Fedora 40 Linux does not appear to be affected, they encourage all Fedora 40 Linux beta users to revert to 5.4.x versions.

Microsoft engineer Andres Freund discovered the backdoor issue that was tracked as CVE-2024-3094 (CVSS score 10).

PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity. Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed. Note that Fedora Rawhide is the development distribution of Fedora Linux, and serves as the basis for future Fedora Linux builds (in this case, the yet-to-be-released Fedora Linux 41).” reads the advisory published by Red Hat warned. “At this time the Fedora Linux 40 builds have not been shown to be compromised.

XZ is a popular data compression format implemented in almost all Linux distributions, including both community-driven and commercial variants.

The malicious discovered by the researchers is obscured and is present only in the download package. The Git distribution doesn’t include the malicious code due to the lack of the M4 macro necessary for triggering the build of the malicious code.

The malicious build interferes with the authentication in sshd through systemd. Under certain conditions, an attacker can compromise sshd authentication and gain unauthorized remote access to the entire system.

The Debian security team also published an advisory about the vulnerability and confirmed that Debian stable versions are not impacted.

“Andres Freund discovered that the upstream source tarballs for xz-utils, the XZ-format compression utilities, are compromised and inject malicious code, at build time, into the resulting liblzma5 library. Right now no Debian stable versions are known to be affected. Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1.” reads th advisory. “The package has been reverted to use the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1. Users running Debian testing and unstable are urged to update the xz-utils packages.”

CISA also published an advisory urging to downgrade to an uncompromised XZ version (i.e., 5.4.6 Stable) and to hunt for any malicious.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

you might also like

leave a comment