An urgent security alert was issued by RedHat on Friday, warning about a supply chain attack affecting two versions of the XZ Utils data compression library. The compromised versions, 5.6.0 and 5.6.1, were found to contain malicious code allowing unauthorized remote access. The security breach, identified as CVE-2024-3094, poses a severe threat with a maximum CVSS score of 10.0.
According to RedHat, the malicious code introduced into the library via complex obfuscations could enable interception and modification of data interactions, specifically targeting the sshd daemon process for Secure Shell (SSH) through the systemd software suite. This exploit could potentially grant threat actors unauthorized access to systems under certain conditions.
Andres Freund, a Microsoft security researcher, played a crucial role in discovering and reporting the issue. The nefarious code, introduced over several weeks by a user named JiaT75 on the Tukaani Project’s GitHub repository through a series of commits, raised concerns about a possible compromise or direct involvement of the committer.
Following the discovery, GitHub took action by disabling the XZ Utils repository maintained by the Tukaani Project due to a breach of its terms of service. While there have been no reports of active exploitation in the wild, Fedora 41 and Fedora Rawhide users are advised to downgrade to a secure version to mitigate potential risks.
The affected packages are limited to Fedora Linux distributions, sparing other systems like Red Hat Enterprise Linux, Debian Stable, Amazon Linux, and SUSE Linux Enterprise and Leap. However, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert recommending users to downgrade XZ Utils to a safe version amidst growing concerns about supply chain compromises.
In response to the security incident, the open-source community has been vigilant in addressing the issue to prevent further exploitation and safeguard users from potential cyber threats. The proactive measures taken by security researchers and organizations underscore the importance of maintaining the integrity and security of software supply chains in the face of evolving cybersecurity challenges.