Red Hat on Friday released an “urgent security alert” warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.
The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).
Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely “under the right circumstances.”
Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely “under the right circumstances.”
Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani Project “due to a violation of GitHub’s terms of service.” There are currently no reports of active exploitation in the wild.
Evidence shows that the packages are only present in Fedora 41 and Fedora Rawhide, and do not impact distros like Alpine Linux, Amazon Linux, Debian Stable, Gentoo Linux, Linux Mint, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise and Leap, and Ubuntu.
Out of an abundance of caution, Fedora Linux 40 users have been recommended to downgrade to a 5.4 build. Some of the other Linux distributions impacted by the supply chain attack are below –
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert of its own, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable).
Source: https://thehackernews.com/