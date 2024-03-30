



Red Hat warned Friday that a malicious backdoor found in the widely used data compression software library xz may be present in 40 instances of Fedora Linux 40 and the Fedora Rawhide developer distribution.

The IT giant said malicious code exists in XZ 5.6.0 and 5.6.1 that appears to provide remote backdoor access, at least via OpenSSH and systemd. This vulnerability has been designated CVE-2024-3094. CVSS severity rating is 10 out of 10.

According to Red Hat, Fedora Linux 40 users may have received 5.6.0 depending on the timing of their system updates. Additionally, users of Fedora Rawhide, the current development version of Fedora Linux 41, may have received 5.6.1. Fedora 40 and 41 are not officially released yet. Version 40 is expected to be released next month.

Users of other Linux and OS distributions should check the version of the xz suite installed. Infected versions 5.6.0 and 5.6.1 were released on February 24th and March 9th, respectively, but may not be in many people's deployments.

This supply chain breach may have been discovered early enough to prevent widespread exploitation, and is likely to primarily only affect cutting-edge distributions that quickly acquired the latest xz version. there is.

Debian Unstable and Kali Linux have been suggested to be affected as well as Fedora. All users should take steps to identify and remove backdoor builds of xz.

Today, an IBM subsidiary advisory shouted from the rooftops: “IMMEDIATELY STOP USING YOUR FEDORA RAWHIDE INSTANCES FOR WORK OR PERSONAL ACTIVITIES.” “Fedora Rawhide will be reverted to xz-5.4.x soon. Once that is complete, you can safely redeploy your Fedora Rawhide instances.”

Red Hat Enterprise Linux (RHEL) is not affected.

According to Red Hat, the malicious code in xz versions 5.6.0 and 5.6.1 is obfuscated and resides entirely in the source code tarball. The second stage artifact in the Git repository is converted into malicious code through an M4 macro in the repository during the build process. The resulting poisoned xz library can be used unwittingly by software such as systemd in the operating system after the library is distributed and installed. The malware appears to be designed to modify the behavior of the OpenSSH server daemon, which uses libraries via systemd.

“The resulting malicious build interferes with authentication with sshd via systemd,” Red Hat explains. “SSH is a protocol commonly used to connect to systems remotely, and sshd is the service that allows access.”

This authentication interference could allow a bad actor to defeat sshd authentication and gain unauthorized remote access to the affected system. In summary, the backdoor appears to work as follows: The Linux machine installs the xz library with a backdoor, specifically liblzma, and this dependency is eventually used somehow by her OpenSSH daemon on the computer. At that point, a poisoned xz library could interfere with the daemon, potentially allowing unauthorized bad actors to log in remotely.

Red Hat states:

A post on the Openwall security mailing list by PostgreSQL developer and committer Andres Freund explores this vulnerability in more detail.

AI hallucinates a software package and developers download it Read more

“The backdoor first intercepts execution by replacing the ifunc resolver crc32_resolve(), crc64_resolve() with another code that calls _get_cpuid(), which is injected into the code (previously just a static inline function). xz 5.6.1, the backdoor symbol names were removed and further obfuscated,” Freund explains, noting that he is not a security researcher or reverse engineer.

Freund speculated that the code “will likely allow some form of access or remote code execution.”

Details such as the account name associated with the commits in question and the times those commits were made indicate that the author of the malicious code is a sophisticated attacker and likely not affiliated with a state agency. There is speculation that this is the case.

The US government's Cybersecurity and Infrastructure Security Agency (CISA) has already issued recommendations here.

