It was discovered that a malicious backdoor was installed in the built-in compression tool 'XZ Utils' of Linux distributions such as Red Hat and Debian.
It has been revealed that a malicious backdoor was embedded in the compression tool ' XZ Utils ' used by Linux distributions Debian and Red Hat .
oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
https://www.openwall.com/lists/oss-security/2024/03/29/4
Backdoor found in widely used Linux utility breaks encrypted SSH connections | Ars Technica
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
Red Hat warns of backdoor in XZ tools used by most Linux distros
https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/
Everything I know about the XZ backdoor
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Malicious backdoor spotted in Linux compression library xz • The Register
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
openSUSE addresses supply chain attack against xz compression library - openSUSE News
https://news.opensuse.org/2024/03/29/xz-backdoor/
Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094) - Help Net Security
https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access - Phoronix
https://www.phoronix.com/news/XZ-CVE-2024-3094
On March 29, 2024 local time, developer Andres Freund reported the existence of a malicious backdoor in XZ Utils. According to him, it was confirmed that malicious code was present in versions 5.6.0 and 5.6.1 of XZ Utils. However, there are no known reports of this version of XZ Utils being included in production releases of major Linux distributions.
However, both Red Hat and Debian have reported that they were using at least one backdoor version of XZ Utils in their recently published beta releases.
In an ``Urgent Security Alert for Fedora Linux 40 and Fedora Rawhide Users'', Red Hat warns users that XZ Utils contains malicious code intended to allow unauthorized access. According to Red Hat, Fedora Linux 40 may have received version 5.6.0 of XZ Utils depending on the timing of the system update, and Fedora Rawhide may have received version 5.6.0 or 5.6 of XZ Utils depending on the timing of the system update. There is a possibility that you have received 1.
Urgent security alert for Fedora 41 and Fedora Rawhide users
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Red Hat has classified the malicious code present in XZ Utils versions 5.6.0 and later as a vulnerability called ' CVE-2024-3094 .' Red Hat said of the malicious code, ``The build process of liblzma (a component of This file is used to modify certain functions within the liblzma code, which creates a modified liblzma library that can be used by any software linked to this library. , data interactions with this library are intercepted and modified.'
According to the Debian security update, while no stable Debian is affected, the affected version 5.6. He revealed that he was using XZ Utils 0 or later. Furthermore, Debian explained that they have already reverted the XZ Utils version to an older version in the test package and have taken measures to prevent the backdoor from being exploited.
[SECURITY] [DSA 5649-1] xz-utils security update
https://lists.debian.org/debian-security-announce/2024/msg00057.html
In other news, Arch Linux has issued a warning to the community that ``XZ package has been backdoored,'' urging them to upgrade their systems and container images.
Arch Linux - News: The xz package has been backdoored
https://archlinux.org/news/the-xz-package-has-been-backdoored/
The malicious version of XZ Utils was discovered before it was added to the Linux production version, so it 'doesn't actually affect anyone in the real world,' said a senior vulnerability analyst at security firm Analysis. As Eir Dorman points out. However, according to Dorman, ``However, it was simply discovered early due to the attacker's clumsiness, so if this had not been discovered, the world would have fallen into a catastrophe.''
It has also been reported that multiple applications included in Homebrew , the macOS package management system, are also using version 5.6.1 of XZ Utils.
In addition, the Homebrew developers have already reported that they have rolled back the version of XZ Utils from 5.6.1 to 5.4.6.
brew install xz installs the outdated version 5.4.6 instead of 5.6.1 · Homebrew · Discussion #5243 · GitHub
https://github.com/orgs/Homebrew/discussions/5243
According to Red Hat officials, the first sign of the XZ Utils backdoor was 'obfuscated code' introduced in the February 23, 2024 update. The next day, on the 24th, a malicious installation script was included in a function used by sshd, the binary file that powers SSH.
The malicious code hidden in XZ Utils is only present in archived releases (tarballs) released upstream. The so-called GIT code available in the repository is not affected, but it seems to contain a second stage artifact that allows injection at build time. If the obfuscated code introduced on the 23rd is present, the GIT version artifact will enable the backdoor to operate.
According to security researchers, the backdoored XZ Utils was designed to intentionally thwart the authentication performed by SSH, a protocol commonly used to connect to systems remotely. . Although SSH provides strong encryption and ensures that only authorized parties can connect to remote systems, backdoors allow malicious attackers to bypass authentication and gain unauthorized access to your entire system. It seems that it was designed.
Regarding the backdoor in XZ Utils, Freund said, 'Given the activity over several weeks, I think either the committer was directly involved, or there was a fairly serious compromise of the system. And unfortunately... The latter seems unlikely, given the conversations on various lists about the 'fixes' added in recent updates.'' He pointed out the possibility that It was later revealed that the malicious code was published by JiaT75 (Jia Tan), one of the developers who has contributed to the XZ Utils development project for many years.
In addition, on March 28, the day before the XZ Utils backdoor was reported, JiaT75 posted version 5.6.1 of XZ Utils, which fixed a bug that caused Valgrind to malfunction, on the Ubuntu developer site as a Debian product. I had posted a post asking for it to be included in the edition.
Bug #2059417 “Sync xz-utils 5.6.1-1 (main) from Debian unstable ...” : Bugs : xz-utils package : Ubuntu
https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417
Additionally, one Fedora Linux maintainer revealed that JiaT75 has requested that the latest version of XZ Utils, which contains a backdoor, be included in the beta version of Fedora Linux 40.
In addition, JiaT75 created a GitHub account in 2021, gained the trust of those around him by actively participating in development projects as a mentor of XZ Utils, and eventually earned the right to directly commit code in the GitHub repository. Looks like you've earned it.
Therefore, the XZ Utils GitHub repository is closed at the time of article creation.
GitHub · Where software is built
https://github.com/tukaani-project/xz
Regarding the backdoor installed in XZ Utils, it has been pointed out that the Linux sandbox function ' Landlock ' was disabled, and that the obfuscation method used at the Bash stage was very clever.
There was also a post stating that they had identified a part of the backdoor string extracted from version 5.6.1 of XZ Utils that functions as a 'kill switch' to disable the backdoor.
Related Posts: