Red Hat issued an urgent security alert regarding two versions of XZ Utils, a data compression library, found to contain a malicious backdoor. Tracked as CVE-2024-3094, the backdoor, with a maximum severity score of 10.0, affects versions 5.6.0 and 5.6.1, potentially allowing unauthorized remote access. The nefarious code targets SSHD via systemd, posing a serious risk of system compromise under specific circumstances. Notably, Fedora Linux 40 users are advised to downgrade to mitigate the threat, with other impacted distributions urged to take similar precautions.
Microsoft security researcher Andres Freund discovered and reported the issue, tracing the introduction of the malicious code over a series of commits to the Tukaani Project on GitHub. The code, heavily obfuscated, raises concerns about the security of the project’s systems or direct involvement of the committer. GitHub has taken action by disabling the XZ Utils repository due to a violation of its terms of service, although no active exploitation in the wild has been reported.
Evidence suggests that the compromised packages are limited to Fedora 41 and Fedora Rawhide, sparing other major Linux distributions like Red Hat Enterprise Linux (RHEL), Ubuntu, and Debian Stable. However, Arch Linux, Kali Linux, openSUSE Tumbleweed, Debian testing, and others are among those impacted by the supply chain attack. As a precautionary measure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) advises users to downgrade to uncompromised versions of XZ Utils to mitigate the risk of unauthorized access.
