Last week, a critical security alert was issued by Red Hat concerning two versions of the widely used data compression library, XZ Utils. The alert revealed that these versions have been compromised with malicious code, potentially allowing unauthorized remote access.
Details of the Compromise
The software supply chain compromise, identified as CVE-2024-3094, carries a CVSS score of 10.0, signifying maximum severity. The affected versions are XZ Utils 5.6.0 (released on February 24) and 5.6.1 (released on March 9).
The build process of liblzma, through a series of intricate obfuscations, extracts a prebuilt object file from a disguised test file present in the source code. This object file is then used to alter specific functions in the liblzma code. The result is a modified liblzma library that can be used by any software linked against this library, intercepting and altering the data interaction with this library.
Impact of the Malicious Code
The malicious code embedded in the library is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite. This could potentially enable a threat actor to bypass sshd authentication and gain unauthorized access to the system remotely under certain conditions.
The ultimate aim of the malicious backdoor introduced by CVE-2024-3094 is to inject code into the OpenSSH server (SSHD) that runs on the victim machine. This would allow specific remote attackers (that own a specific private key) to send arbitrary payloads through SSH which will be executed before the authentication step, effectively taking over the entire victim machine.
Discovery and Reporting
Microsoft engineer and PostgreSQL developer Andres Freund is credited with discovering and reporting the issue. The heavily obfuscated malicious code is said to have been introduced over a series of source code commits to the Tukaani Project on GitHub by a user named Jia Tan (JiaT75).
Freund noted that the committer is either directly involved or there was a severe compromise of their system. The latter seems less likely, given their communication on various lists about the ‘fixes.’
GitHub, owned by Microsoft, has since disabled the XZ Utils repository maintained by the Tukaani Project due to a violation of GitHub’s terms of service. As of now, there are no reports of active exploitation in the wild.
Impacted Distributions
Evidence shows that the packages are only present in Fedora 41 and Fedora Rawhide, and do not impact distributions like Alpine Linux, Amazon Linux, Debian Stable, Gentoo Linux, Linux Mint, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise and Leap, and Ubuntu.
Fedora Linux 40 users have been advised to downgrade to a 5.4 build as a precautionary measure. Some of the other Linux distributions impacted by the supply chain attack are:
- Arch Linux (installation medium 2024.03.01, virtual machine images 20240301.218094 and 20240315.221711, and container images created between and including 2024-02-24 and 2024-03-28)
- Kali Linux (between March 26 and 29)
- openSUSE Tumbleweed and openSUSE MicroOS (between March 7 and 28)
- Debian testing, unstable, and experimental versions (from 5.5.1alpha-0.1 to 5.6.1-1)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable).
