UPDATE - Red Hat said on Friday released an “urgent security alert” warning users of malicious code embedded in certain versions of XZ Utils, a popular set of data compression software tools. Certain Fedora Linux distribution versions may be impacted, and Red Hat urged customers to immediately stop using Fedora Rawhide instances for work or personal activity.
The malicious code (which is being tracked as CVE-2024-3094), which may allow unauthorized access to impacted systems, is embedded in XZ Utils versions 5.6.0 and 5.6.1, released in February. XZ is a data compression format that’s present in most Linux distributions, both for community projects and for commercial product distributions, which helps compress large file formats so that they can be shared.
The Friday alert from Red Hat warned that the packages are present in Fedora 41 and Fedora Rawhide within the Red Hat ecosystem. Red Hat said that Fedora Linux 40 users may have received version 5.6.0, depending on the timing of system updates, while Fedora Rawhide users may have received version 5.6.0 or 5.6.1.
“Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed,” according to Red Hat’s post. “At this time the Fedora Linux 40 builds have not been shown to be compromised. We believe the malicious code injection did not take effect in these builds. However, Fedora Linux 40 users should still downgrade to a 5.4 build to be safe.”
No versions of Red Hat Enterprise Linux are affected, said Red Hat, however “we have reports and evidence of the injections successfully building in xz 5.6.x versions built for Debian unstable (Sid). Other distributions may also be affected.”
According to a mailing list message from Debian developers on Friday, no Debian stable versions are known to be affected. However, compromised packages were part of the Debian testing, unstable and experimental distributions, and users running Debian testing and unstable are being urged to update the XZ Utils packages.
On Friday, Kali Linux maintainers said that the impact of the malicious code may have affected Kali between March 26 to March 29, and urged users that updated their installations on or after March 26 to apply the latest updates. OpenSUSE's Tumbleweed and MicroOS included the impacted XZ version between March 7 and MArch 28, meanwhile.
"openSUSE Maintainers have rolled back the version of xz on Tumbleweed on March 28th and have released a new Tumbleweed snapshot (20240328 or later) that was built from a safe backup," according to openSUSE maintainers.
Andres Freund, a Microsoft software engineer, first found the security issue while he was benchmarking postgres changes and noticed that SSHD processes in the liblzma part of the XZ package were using “a surprising amount of CPU.” He posted about the malicious code on Friday.
Red Hat said that the malicious code could, “under the right circumstances,” allow remote, malicious actors to break sshd authentication and gain unauthorized access to the entire impacted system.
“The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code,” according to Red Hat’s advisory. “The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present. The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access.”
Details related to the backdoor's creation are still being unearthed, but the accounts linked to the malicious code appear to go back for years. The persona behind the backdoor, someone who went by the name Jia Tan and the username JiaT75, first created a GitHub account in 2021 and in 2023 began to act as a regular contributor for XZ.
CISA on Friday said it was responding to the reports of malicious code being embedded in XZ Utils along with the open source community.
“CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA,” according to CISA in a Friday alert.
This article was updated on April 1 to include further potentially impacted distributions.