NEWS  Security  March 30, 2024  Reading time: 2 Minute(s)

Max (RS editor)

In a recent cautionary advisory, Red Hat raised the alarm regarding a malicious backdoor discovered within the widely utilized data compression software library, xz. The warning specifically pertains to potential vulnerabilities lurking within instances of Fedora Linux 40 and the Fedora Rawhide developer distribution.

The malicious code, capable of providing remote backdoor access through OpenSSH and systemd, has been identified in xz versions 5.6.0 and 5.6.1. This critical vulnerability, labeled CVE-2024-3094 and rated 10 out of 10 in CVSS severity, underscores the urgency for users to take immediate action.

According to Red Hat, users of Fedora Linux 40 may have unwittingly incorporated version 5.6.0, dependent on the timing of their system updates. Similarly, users engaged with Fedora Rawhide, the ongoing development iteration set to evolve into Fedora Linux 41, may have integrated version 5.6.1. Notably, neither Fedora 40 nor 41 has been officially released yet, with version 40 slated for release in the coming month.

While the supply-chain compromise poses a significant threat, there is a glimmer of hope in its early detection, potentially curtailing widespread exploitation. However, vigilance remains imperative, particularly for users of bleeding-edge distributions such as Fedora and other Linux variants.

Echoing Red Hat's advisory, Debian Unstable and Kali Linux have acknowledged susceptibility to the compromise, necessitating prompt action from all users to identify and eradicate any compromised instances of the xz library.

The gravity of the situation is underscored by Red Hat's emphatic plea to cease the usage of any Fedora Rawhide instances for both professional and personal endeavors until remedial measures are implemented. Assurance is provided that Fedora Rawhide will swiftly revert to a safe xz-5.4.x version, allowing for the secure redeployment of instances.

Fortunately, Red Hat Enterprise Linux (RHEL) remains unaffected by this threat. The obfuscated nature of the malicious code, primarily present in the source code tarball of xz versions 5.6.0 and 5.6.1, highlights the sophistication of the attack. Second-stage artifacts within the Git repository are manipulated during the build process, resulting in the unwitting distribution and installation of the tainted xz library.

The modus operandi of the backdoor revolves around intercepting execution and meddling with authentication processes within OpenSSH daemons via systemd. This interference, if exploited, could potentially grant unauthorized access to compromised systems, presenting a grave security risk.

A detailed analysis by Andres Freund, a prominent PostgreSQL developer, sheds light on the intricacies of the vulnerability, suggesting the possibility of remote code execution facilitated by the backdoor. Speculation regarding the origin of the malicious code points towards a sophisticated attacker, potentially affiliated with a nation-state agency, given the meticulous execution and timing of the compromise.