Red Hat Issues Urgent Security Alert Following Backdoor Discovery in XZ Utils
On Friday, Red Hat issued an urgent security alert, revealing a critical security vulnerability involving two versions of the widely-used data compression library known as XZ Utils, previously LZMA Utils. This vulnerability allows malicious actors to gain unauthorized remote access to systems, marking a significant threat to the integrity of software supply chains.
The vulnerability, designated as CVE-2024-3094, has been assigned a maximum Common Vulnerability Scoring System (CVSS) score of 10.0, indicating its severe nature. The affected versions are XZ Utils 5.6.0, released on February 24, and 5.6.1, released on March 9. The exploitation of this vulnerability results from complex obfuscations within the liblzma build process, where a prebuilt object file is extracted from a disguised test file in the source code. This allows for modifications to critical functions within the liblzma library.
The malicious code embedded in these versions specifically targets the sshd daemon process associated with Secure Shell (SSH) through the systemd software suite. This capability could potentially facilitate unauthorized access by compromising sshd authentication, thereby granting potential threat actors control over affected systems under certain circumstances.
The motivation behind this attack appears to be to inject code into the OpenSSH server (SSHD) on the victim’s machine. This would allow attackers possessing a specific private key to send arbitrary payloads through SSH that could execute before the authentication phase, thereby hijacking the entire machine. This level of compromise is particularly alarming for businesses that rely on secure shell access for remote operations.
The vulnerability was identified by Microsoft engineer and PostgreSQL developer Andres Freund, who reported it promptly. Investigations indicate that the malicious code was introduced through a series of source code commits on the Tukaani Project’s GitHub repository by a user identified as Jia Tan. The obscurity surrounding this incident raises concerns about either intentional involvement by the committer or a significant compromise of their system, with the latter now deemed unlikely given the public communications regarding various ‘fixes’.
In response to the gravity of the situation, Microsoft-owned GitHub has temporarily disabled the XZ Utils repository maintained by the Tukaani Project for violating its terms of service. To date, there have been no confirmed reports of widespread exploitation linked to this vulnerability. However, evidence suggests that the compromised packages are limited to specific distributions, notably Fedora 41 and Fedora Rawhide, without impacting other versions such as Alpine Linux, Debian Stable, or Red Hat Enterprise Linux.
Due to the malicious activity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued its alert, advising users to downgrade to XZ Utils version 5.4.6, a stable release known to be uncompromised. As the investigation continues, it highlights the necessity for vigilance in software supply chains and robust security measures that protect against similar vulnerabilities.
In assessing this incident through the lens of the MITRE ATT&CK framework, techniques such as initial access and persistence in software systems could be considered relevant to the tactics employed by the adversary. Business owners are urged to review their systems for potential exposure to ensure enhanced cybersecurity preparedness in an evolving threat landscape.
