Father
Professional
- Messages
- 2,602
- Reaction score
- 785
- Points
- 113
The search for the culprit leads to unexpected conclusions.
A hidden backdoor was discovered in the popular xz compression utility, which is widely used in most Linux distributions. This malicious code embedded in the utility package creates a critical threat to the supply chain, potentially allowing attackers to gain unauthorized access to SSH services.
Microsoft software engineer Andres Fround discovered the backdoor and reported it to Openwall, a Linux distribution company, on Friday morning. Malicious .m4 files added to the xz archives of version 5.6.0, released on February 24, contained automake instructions for building the liblzma compression library, modifying its functions for unauthorized access.
These changes to liblzma may compromise sshd due to the fact that many Linux distributions include libsystemd. This component, which is responsible for activating systemd notifications, is based on liblzma, which makes it a critical element in the OpenSSH framework.
Added files. The m4 files were heavily obfuscated, apparently to hide their malicious function, and the files were added by a user who has been an active participant in the xz project for two years.
"Based on the observed activity over several weeks, it can be assumed that either the developer was directly involved in malicious activity, or his system was subjected to a serious security breach. However, the second option seems less likely, given his communication in the mailing lists about the mentioned "fixes" - Freund reports in his report, commenting on the changes in version xz 5.6.1. These changes, designed to fix valgrind errors and prevent crashes, appear to have been caused by a built-in backdoor.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about this issue, which is tracked as CVE-2024-3094 and has a maximum CVSS score of 10, warning developers and users to roll back to a secure version of xz, such as version 5.4.6.
Freund noted that xz versions 5.6.0 and 5.6.1 have not yet been widely integrated by Linux distributions, and where they have been integrated, mostly in preview versions.
Red Hat issued an urgent security alert on Friday, urging users to immediately stop using any instances of Fedora Rawhide due to the potential threat of compromise via xz. The warning also recommends that users roll back Fedora Linux 40 to a version that uses xz 5.4.
Freund discovered the backdoor while testing the latest unstable version of Debian. The Debian Security Council has confirmed the inclusion of the vulnerable utility in test, unstable, and experimental releases of the distribution. The document states that the package version was reverted to 5.4.5 with a recommendation that users upgrade immediately. According to preliminary data, stable Debian releases were not affected.
CVE-2024-3094 also affects the HomeBrew package manager for macOS. In addition, it is confirmed that Kali Linux-a specialized distribution from OffSec for conducting penetration tests-was also affected by this vulnerability from March 26 to 29.
A hidden backdoor was discovered in the popular xz compression utility, which is widely used in most Linux distributions. This malicious code embedded in the utility package creates a critical threat to the supply chain, potentially allowing attackers to gain unauthorized access to SSH services.
Microsoft software engineer Andres Fround discovered the backdoor and reported it to Openwall, a Linux distribution company, on Friday morning. Malicious .m4 files added to the xz archives of version 5.6.0, released on February 24, contained automake instructions for building the liblzma compression library, modifying its functions for unauthorized access.
These changes to liblzma may compromise sshd due to the fact that many Linux distributions include libsystemd. This component, which is responsible for activating systemd notifications, is based on liblzma, which makes it a critical element in the OpenSSH framework.
Added files. The m4 files were heavily obfuscated, apparently to hide their malicious function, and the files were added by a user who has been an active participant in the xz project for two years.
"Based on the observed activity over several weeks, it can be assumed that either the developer was directly involved in malicious activity, or his system was subjected to a serious security breach. However, the second option seems less likely, given his communication in the mailing lists about the mentioned "fixes" - Freund reports in his report, commenting on the changes in version xz 5.6.1. These changes, designed to fix valgrind errors and prevent crashes, appear to have been caused by a built-in backdoor.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about this issue, which is tracked as CVE-2024-3094 and has a maximum CVSS score of 10, warning developers and users to roll back to a secure version of xz, such as version 5.4.6.
Freund noted that xz versions 5.6.0 and 5.6.1 have not yet been widely integrated by Linux distributions, and where they have been integrated, mostly in preview versions.
Red Hat issued an urgent security alert on Friday, urging users to immediately stop using any instances of Fedora Rawhide due to the potential threat of compromise via xz. The warning also recommends that users roll back Fedora Linux 40 to a version that uses xz 5.4.
Freund discovered the backdoor while testing the latest unstable version of Debian. The Debian Security Council has confirmed the inclusion of the vulnerable utility in test, unstable, and experimental releases of the distribution. The document states that the package version was reverted to 5.4.5 with a recommendation that users upgrade immediately. According to preliminary data, stable Debian releases were not affected.
CVE-2024-3094 also affects the HomeBrew package manager for macOS. In addition, it is confirmed that Kali Linux-a specialized distribution from OffSec for conducting penetration tests-was also affected by this vulnerability from March 26 to 29.
