The Linux versions are getting affected due to Backdoor found in the Libraries?
On Friday, RedHat issued a “urgent security alert” warning that two versions of the popular data compression library XZ Utils (formerly LZMA Utils) had been backdoored with malicious code designed to allow unauthorised remote access.
The software supply chain breach, identified as CVE-2024-3094, has a CVSS score of 10.0, signifying the highest severity. It affects XZ Utils versions 5.6.0 (published February 24) and 5.6.1 (released March 9).
“Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code,” the subsidiary of IBM said in a press release.
THE LINUX
“This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.”
Specifically, the malicious code embedded in the code is intended to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, potentially allowing a threat actor to bypass sshd authentication and gain unauthorised remote access to the system “under the right circumstances.”
Microsoft security researcher Andres Freund is credited with identifying and reporting the problem on Friday. The deeply obfuscated malicious code is alleged to have been introduced to the Tukaani Project on GitHub by a user called JiaT75 during four separate pushes.
“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” he stated. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes.'”
The Tukaani Project’s XZ Utils repository has been formally disabled by Microsoft-owned GitHub “due to a violation of GitHub’s terms of service.” There are no documented cases of current wild exploitation.
Evidence suggests that the packages are exclusive to Fedora 41 and Fedora Rawhide, and that they have no effect on SUSE Linux Enterprise and Leap, Red Hat Enterprise Linux (RHEL), Debian Stable, or Amazon Linux.
It is advised that Fedora Linux 40 users downgrade to a 5.4 build out of an abundance of caution. Below are a few more Linux distributions that were affected by the supply chain attack:
Kali Linux (for the dates of March 26–29)
Between March 7 and 28, Debian testing, unstable, and experimental versions (from 5.5.1alpha-0.1 to 5.6.1-1) were available for openSUSE Tumbleweed and openSUSE MicroOS.
The development has led to the release of an alert by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which advises users to downgrade to an uncompromised version of XZ Utils (e.g., XZ Utils 5.4.6 Stable).
