RedHat on Friday released an “urgent security advisory” warning that two versions of a popular data compression library called XZ Utils (formerly LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.
The compromise of the software supply chain, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating the highest severity. It affects XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).
“Through a series of complex obfuscations, the liblzma compilation process extracts a pre-built object file from a masked test file existing in the source code, which is then used to modify specific functions in the liblzma code,” the IBM subsidiary said in a I notify.
“This results in a modified liblzma library that can be used by any software linked to this library, intercepting and modifying data interaction with this library.”
Specifically, the nefarious code injected into the code is designed to interfere with the process of the sshd daemon for SSH (Secure Shell) via the systemd software suite and potentially allow a threat actor to breach sshd authentication and gain unauthorized access to the system remotely “under the right circumstances.”
Microsoft security researcher Andres Freund was credited with discovering and reporting the issue on Friday. The heavily obfuscated malicious code is said to have been introduced during a series of four commits to the Tukaani project on GitHub by a user called JiaT75.
“Given the activity of several weeks, either the developer is directly involved or there has been a rather serious compromise of his system,” Freund said. “Unfortunately the latter seems the least likely explanation, given that they have communicated the ‘fixes’ in various lists.”
Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani project “due to a violation of GitHub’s terms of service.” There are currently no reports of active exploitation in the wild.
Tests show that the packages are only present in Fedora 41 and Fedora Rawhide and have no impact on Red Hat Enterprise Linux (RHEL), Debian Stable, Amazon Linux, and SUSE Linux Enterprise and Leap.
Out of an abundance of caution, Fedora Linux 40 users have been advised to downgrade to build 5.4. Below are some of the other Linux distributions affected by the supply chain attack:
The development prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable).