Red Hat warns that a vulnerability in XZ Utils, the XZ format compression utility included with many Linux distributions, is a backdoor. Users should downgrade the utility to a more secure version or disable ssh completely so that the backdoor cannot be exploited.
The code injection vulnerability (CVE-2024-3094), injects code into the authentication process that allows the attacker to gain remote access to the system. Red Hat he said in his advisory to “PLEASE IMMEDIATELY DISCONTINUE USING ANY RAWHIDE FEDORA INSTANCE for work or personal activity” – they underline – until the company rolled back its xz version to 5.4.x and gave the green light. The flaw was assigned a CVSS (Common Vulnerability Scoring System) score of 10.0 .
The defect is present in xz versions 5.6.0 (released February 24) and 5.6.1 (released March 9). The US Cybersecurity and Infrastructure Security Agency (CISA) recommended developers and users to downgrade XZ Utils to an older, uncompromised version, such as XZ Utilis 5.4.6 Stable.
Here’s how to check if your system is running the affected version:
xz –version
If the output says xz (XZ UTils) 5.6.1 OR liblzma 5.6.1users will need to apply the update for their distribution (if available), downgrade xz, or disable ssh for the time being.
While the issue primarily affects Linux distributions, there are reports that some versions of MacOS may run the compromised packages. If so, run away beer update on Mac it should downgrade xz from 5.6.0 to 5.4.6.
Which Linux distributions are affected?
Although serious, the impact may be limited. The problematic code is found in newer versions of xz/liblzma, so it may not be as widely distributed. Linux distributions that have not yet released the latest versions are less likely to be affected.
Red Hat: The vulnerable packages exist in Fedora 41 and Fedora Rawhide. No versions of Red Hat Enterprise Linux (RHEL) are affected. Red Hat says users should immediately stop using the affected versions until the company has had a chance to modify the xz version.
SUSO: A the update is available for openSUSE (Tumbleweed or MicroOS).
DebianLinux: No stable versions of the distribution are affected, but the compromised packages were part of the testing, unstable and experimental versions. Users should update xz-utils.
Kali Linux: If systems were updated between March 26 and March 29, users should do so update again to get the fix. If your last Kali update was before the 26th, it is not affected by this backdoor.
This list will be updated as other distributions provide information.