Raleigh, North Carolina – Red Hat issued a warning on Friday regarding a potential backdoor discovered in the xz data compression software library, which may affect instances of Fedora Linux 40 and the Fedora Rawhide developer distribution. The IT company revealed that the malicious code in xz versions 5.6.0 and 5.6.1 could provide unauthorized remote access via OpenSSH and systemd. This vulnerability, identified as CVE-2024-3094 and rated as severe as 10 out of 10 in CVSS, poses a significant risk to users.
According to Red Hat, users of Fedora Linux 40 may have unknowingly received the infected versions 5.6.0, while users of Fedora Rawhide, the developmental version of Fedora Linux 41, may have received version 5.6.1. Both Fedora 40 and 41 are yet to be officially released. It is advised that users of other Linux and OS distributions verify which version of the xz suite they have installed to prevent any potential security breaches.
The compromised xz versions, 5.6.0 and 5.6.1, were released in late February and early March, respectively, indicating that not many deployments may have incorporated the infected software. While the supply-chain compromise raises concerns, the discovery of the backdoor at an early stage may have prevented widespread exploitation, primarily affecting cutting-edge distributions that promptly adopted the latest xz versions.
Debian Unstable and Kali Linux have confirmed being impacted by the vulnerability, signaling a widespread concern across various Linux distributions. Red Hat advises users to take immediate action to identify and remove any compromised versions of xz to mitigate the risk of unauthorized access or cyber threats. Fedora Rawhide users are urged to cease any activities on affected instances until the xz-5.4.x version is restored for deployment.
It is crucial to note that Red Hat Enterprise Linux (RHEL) remains unaffected by the security vulnerability present in xz versions 5.6.0 and 5.6.1. The malicious code, disguised within the source code tarball, involves second-stage artifacts in the Git repository that, during the build process, transform into harmful elements through the M4 macro. This tainted xz library, once distributed and installed, could potentially manipulate OpenSSH daemon operations, compromising system security.
Andres Freund, a PostgreSQL developer and committer, discussed the vulnerability in detail, emphasizing the potential risks associated with the backdoor. Speculation surrounding the origins of the malicious code, possibly linked to a sophisticated attacker or nation-state agency, has raised concerns within the cybersecurity community. The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory in response to the reported supply-chain compromise affecting xz utilities.