Red Hat is warning that a vulnerability in XZ Utils, the XZ format compression utility included in many Linux distributions is a backdoor. Users should either downgrade the utility to a safer version or disable ssh entirely so that the backdoor cannot be exploited.
The code injection vulnerability (CVE-2024-3094), injects code into the authentication process that allows malicious actor to gain remote access to the system. Red Hat said in its advisory to “PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity” — emphasis theirs — until the company reverted its xz version to 5.4.x and gave the all-clear. The flaw has been assigned a CVSS (Common Vulnerability Scoring System) score of 10.0.
The flaw is present in xz versions 5.6.0 (released Feb. 24) and 5.6.1 (released March 9). The US Cybersecurity and Infrastructure Security Agency (CISA) advised developers and users to downgrade XZ Utils to an earlier, uncompromised version, such as XZ Utils 5.4.6 Stable.
Here’s how to tell if the system is running the affected version:
xz –version
If the output says xz (XZ UTils) 5.6.1 or liblzma 5.6.1, then users should either apply the update for their distribution (if available), downgrade xz, or disable ssh for the time being.
While the issue primarily affects Linux distributions, there are reports that some versions of MacOS may be running the compromised packages. If that is the case, running brew upgrade on the Mac should downgrade xz from 5.6.0 to 5.4.6.
Which Linux Distros Are Affected?
While serious, the impact may be limited. The problematic code is in the newer versions of xz/liblzma, so it may not be as widely deployed. Linux distributions that have not yet released the newer versions are less likely to be affected.
Red Hat: Vulnerable packages are present in Fedora 41 and Fedora Rawhide. No versions of Red Hat Enterprise Linux (RHEL) are affected. Red Hat says users should immediately stop using the affected versions until the company has had a chance to change the xz version.
SUSE: An update is available for openSUSE (Tumbleweed or MicroOS).
Debian Linux: No stable versions of the distribution are affected, but compromised packages were part of the testing, unstable, and experimental versions. Users should update xz-utils.
Kali Linux: If systems were updated between March 26 and March 29, then users should update again to get the fix. If Kali’s last update was before the 26th, it is not affected by this backdoor.
This list will be updated as other distributions provide information.
Source: www.darkreading.com