Red Hat on Friday warned that a malicious backdoor found in the widely used data compression library called xz may be present in Fedora Linux 40, 41, and in the Fedora Rawhide developer distribution.
The IT giant said the malicious code, which appears to provide remote backdoor access, is present in xz 5.6.0 and 5.6.1. The vulnerability has been designated CVE-2024-3094. It is rated 10 out of 10 in CVSS severity.
Users of Fedora Linux 40 may have received 5.6.0, depending upon the timing of their system updates, according to Red Hat. And users of Fedora Rawhide, the current development version of what will become Fedora Linux 41, may have received 5.6.1. Red Hat also indicated Fedora 41 may have picked up the backdoored code.
Users of other Linux and OS distributions should check to see which version of the xz suite they have installed.
"PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity," the IBM subsidiary's advisory screams. "Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed."
Red Hat Enterprise Linux (RHEL) is not affected.
The malicious code in xz versions 5.6.0 and 5.6.1 has been obfuscated, Red Hat says, and is only fully present in the download package. Second-stage artifacts within the Git repo get turned into malicious code through the M4 macro in the repo.
"The resulting malicious build interferes with authentication in sshd via systemd," Red Hat explains. "SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access."
This authentication interference has the potential to allow a miscreant to break sshd authentication and remotely gain unauthorized access to an affected system.
A post to the Openwall security mailing list by Andres Freund, PostgreSQL developer and commiter, explores the vulnerability in greater detail.
"The backdoor initially intercepts execution by replacing the ifunc resolvers crc32_resolve(), crc64_resolve() with different code, which calls _get_cpuid(), injected into the code (which previously would just be static inline functions). In xz 5.6.1 the backdoor was further obfuscated, removing symbol names," Freund explains, with the caveat that he's not a security researcher or reverse engineer.
Freund speculates that the code "seems likely to allow some form of access or other form of remote code execution."
The account name associated with the offending commits, together with other details like the time those commits were made, has led to speculation that the author of the malicious code is a sophisticated attacker, possibly affiliated with a nation-state agency.
According to Freund, the US Cybersecurity and Infrastructure Security Agency (CISA) has been notified of the incident. ®
Source: The register