A serious security flaw in the XZ compression tool for Linux, known as CVE-2024-3094, has added malicious code to versions 5.6.0 and 5.6.1 of the XZ Utils library. It ended up in widely used Linux distributions, including Red Hat and Debian.
In the tarballs (compressed archive files used for Linux, among other things) of the tool’s versions 5.6.0 and 5.6.1, an unusual .m4 file with instructions for an automake is included. That could lead to a supply chain attack when the package liblzma is created and used by several tools, including sshd. Red Hat sent out a warning Friday, as did other makers of Linux distros.
Compromising specific distributions
The backdoor was inserted by either an XZ admin or someone who compromised the administrator’s system. The reason is unclear, but apparently, the goal was to compromise specific distributions since the backdoors were only applied to DEB or RPM packages for x86-64 architecture built with gcc and the gnu linker. The utility’s creators’ GitHub accounts have been suspended. The backdoor was discovered by Microsoft researcher Andreas Freund, who raised the alarm.
There are no known reports that these versions have been included in production releases for the major Linux distributions. Still, both Red Hat and Debian reported that recently published beta versions used at least one of the compromised versions, specifically in Fedora Rawhide and Debian Testing, Unstable and Experimental distributions. A stable version of Arch Linux was also affected, but that distribution is not used in production systems.
That the backdoor was not found in production systems is the reason it is”not really affecting anyone in the real world,” an analyst from security firm Analygence told Ars Technica. “BUT that’s only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”
Intended to bypass authentication
The malicious versions deliberately interfere with authentication performed by SSH, a widely used protocol for connecting to systems remotely. SSH provides robust encryption to ensure only authorized parties connect to a remote system.
The backdoor is designed to allow a malicious actor to bypass authentication and gain unauthorized access to the entire system. It works by inserting code during a key phase of the login process.
XZ Utils is available for most, if not all, Linux distributions, but not all distros include it by default. JiaT75, one of the two leading developers of XZ Utils, submitted the tarballs that included the malicious changes. This person has made years of contributions to the project.
Also read: Large-scale attack on Ray framework exposes AI security risks