Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros

Bar Refael

April 3, 2024

Red Hat has issued an urgent security alert regarding a supply chain compromise in the XZ Utils data compression library, formerly known as LZMA Utils. The compromise, identified as CVE-2024-3094 with a CVSS score of 10.0, introduces a backdoor in versions 5.6.0 and 5.6.1, posing a severe risk of unauthorized remote access.

Vulnerability Details:

  • CVE ID: CVE-2024-3094
  • CVSS Score: 10.0 (Maximum Severity)
  • Affected Versions: XZ Utils 5.6.0 (Feb 24 release) and 5.6.1 (Mar 9 release)
  • Impact: Allows unauthorized remote access by modifying the liblzma library, affecting any software linked against this library, especially the sshd daemon process.

Method of Compromise:

The vulnerability involves complex obfuscations within the liblzma build process, utilizing a prebuilt object file hidden in a test file to modify liblzma functions. This modification enables specific attackers to execute arbitrary payloads via SSH before authentication, effectively hijacking the machine.

Discovery and Attribution:

Microsoft engineer and PostgreSQL developer Andres Freund reported the issue, discovered through analysis of obfuscated malicious code introduced into the XZ Utils GitHub repository by a user named Jia Tan (JiaT75).

Impact Analysis:

The malicious code specifically targets the sshd daemon process, undermining SSH authentication and potentially granting threat actors remote system access. Affected distributions include Fedora, Arch Linux, Kali Linux, openSUSE, and certain versions of Debian.

Mitigation Recommendations:

  • Immediate Downgrade: Users of affected versions are urged to downgrade to XZ Utils version 5.4.6 Stable or another uncompromised build.
  • Review and Monitor: Organizations should review their use of affected Linux distributions and monitor systems for signs of compromise.
  • Patch and Update: Stay informed on patches and updates provided by Linux distributions and apply them promptly.

Conclusion:

The backdoor introduced in XZ Utils versions 5.6.0 and 5.6.1 underlines the critical nature of supply chain security. Organizations and users must act swiftly to mitigate potential risks and safeguard their systems against unauthorized access stemming from this severe vulnerability.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox