Red Hat warned Friday that a malicious backdoor found in the widely used data compression software library xz may be present in Fedora Linux 40 instances and the Fedora Rawhide developer distribution.
The IT giant said the malicious code, which appears to provide remote access via OpenSSH and systemd at least, is present in xz 5.6.0 and 5.6.1. The vulnerability has been designated CVE-2024-3094. It is rated 10 out of 10 in CVSS severity.
Fedora Linux 40 users may have received version 5.6.0, depending on their system’s update schedule, according to Red Hat. And users of Fedora Rawhide, the current development version of what will become Fedora Linux 41, may have received version 5.6.1. Fedora 40 and 41 have not yet been officially released; version 40 should be released next month.
Users of other Linux distributions and OS should check which version of the xz suite they have installed. The infected versions, 5.6.0 and 5.6.1, were released on February 24 and March 9, respectively, and may not make it into too many people’s deployments.
This supply chain compromise may have been detected early enough to prevent widespread exploitation, and it may only primarily affect cutting-edge distributions that immediately picked up the latest xz versions.
Debian unstable and Kali Linux indicated that they, like Fedora, were concerned; All users should take steps to identify and remove all stolen versions of xz.
“PLEASE IMMEDIATELY DISCONTINUE USING ANY FEDORA RAWHIDE INSTANCES for business or personal purposes,” the IBM subsidiary’s notice shouted from the rooftops today. “Fedora Rawhide will be reverted to xz-5.4.x soon, and once this is done, Fedora Rawhide instances can be safely redeployed.”
Red Hat Enterprise Linux (RHEL) is not affected.
The malicious code in xz versions 5.6.0 and 5.6.1 has been obfuscated, Red Hat says, and is only fully present in the source code tarball. Second-stage artifacts in the Git repository are transformed into malicious code via the M4 macro in the repository during the build process. The resulting poisoned xz library is unintentionally used by software, such as the operating system’s systemd, once the library is distributed and installed. The malware appears to have been designed to modify the operation of OpenSSH server daemons that use the library via systemd.
“The resulting malicious version interferes with authentication in sshd via systemd,” explains Red Hat. “SSH is a commonly used protocol for connecting to systems remotely, and sshd is the service that allows access.”
This authentication interference can potentially allow an attacker to break sshd authentication and remotely gain unauthorized access to an affected system. In summary, the backdoor appears to work like this: Linux machines install the backdoor xz library – more precisely, liblzma – and this dependency is in turn used in some way by the computer’s OpenSSH daemon . At this point, the poisoned xz library is capable of meddling with the daemon and potentially allowing an unauthorized miscreant to log in remotely.
As Red Hat says:
An article posted to the Openwall security mailing list by PostgreSQL developer and committer Andres Freund explores the vulnerability in more detail.
AI hallucinates software packages and developers download them
LEARN MORE
“The backdoor initially intercepts execution by replacing the ifunc resolvers crc32_resolve(), crc64_resolve() with different code, which calls _get_cpuid(), injected into the code (which previously were just static inline functions). In xz 5.6.1, the backdoor was obfuscated even more, removing symbol names,” explains Freund, clarifying that he is not a security researcher or reverse engineer.
Freund speculates that the code “appears likely to enable some form of access or other form of remote code execution.”
The account name associated with the offending commits, along with other details such as the time these commits were made, have led to speculation that the author of the malicious code is a sophisticated attacker, perhaps affiliated with a nation-state agency.
The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has already issued an advisory on this matter. ®
News Source : www.theregister.com
Gn tech
