Malicious code discovered in Red Hat’s XZ tools

Malicious code discovered in Red Hat’s XZ tools

2024-04-03 13:15:46

Red Hat warned this Good Friday of a backdoor in XZ tools. Use of Fedora 41 and Fedora Rawhide should cease immediately. It was a Microsoft software engineer who discovered the backdoor.

Red Hat warns of a backdoor present in the XZ tools used by most Linux distributions. On its website, the firm wrote this Good Friday: “Please immediately stop using all instances of Fedora 41 or Fedora Rawhide, whether for work or personal activities.” The site Bleepingcomputer also reports the flaw, indicating that no version of Red Hat Enterprise Linux (RHEL) is affected: “We have reports and evidence that injections in versions xz 5.6.x have been successfully built into Debian unstable (Sid). Other distributions might also be affected.

Kali Linux, openSUSE and Arch Linux have also issued security advisories and reset versions in affected rolling releases. Linux administrators can therefore check which version of XZ is installed by querying their package manager or by running the following shell script, which was shared by a cybersecurity researcher named Kostas.

(Source: screenshot / Bleepingcomputer.com)

According to Bleepingcomputer, The script runs the ‘strings’ command on all instances of the xz executable and displays its embedded version. With this command, users might determine the version without running the backdoored command line. Anyone using versions 5.6.0 or 5.6.1 should “immediately upgrade to older versions without the malicious code.” A Microsoft software engineer named Andres Freund discovered and documented the security issue while examining slow SSH connections on a Linux box running Debian Sid (the rolling development version of the Debian distribution), Bleepingcomputer writes.

However, the software engineer has yet to find the exact purpose of the malicious code added to the liblzma data compression library in XZ versions 5.6.0 and 5.6.1 by a sinister contributor named Jia Tan (JiaT75). “I have not yet analyzed precisely what is checked in the injected code to allow unauthorized access. As this works in a pre-authentication context, it seems likely that this would enable some form of access or other form of remote code execution,” Andres Freund said. He added: “Initially, launching sshd outside of systemd did not show any slowdown, despite momentarily activating the backdoor. This appears to be part of some countermeasures to make analysis more difficult.

Red Hat rolls back to XZ 5.4.x in Fedora Beta

Red Hat is now tracking this supply chain security issue as CVE-2024-3094 and has assigned it a critical severity score of 10/10, while rolling back to XZ version 5.4.x in Fedora 40 Beta , specifies Bleepingcomputer. The malicious code is therefore hidden and can only be found in the full download package, and not in the Git distribution, in which the M4 macro that triggers the backdoor build process is absent.

If the malicious macro is present, second-level artifacts found in the Git repository are injected during the build period, Bleepingcomputer continues. “The resulting malicious build disrupts authentication in sshd via systemd. SSH is a protocol commonly used to connect to remote systems, and sshd is the service that allows access, writes Red Hat. Under the appropriate circumstances, this disruption might potentially allow a malicious actor to bypass sshd authentication and gain unauthorized access to the entire system remotely.

CISA, the NCSC of the United States, has also issued a warning advising developers and users to upgrade to an uncompromised version of XZ (i.e. 5.4.6 Stable) and to check for any malicious or suspicious activity on their systems.

1712151345
#Malicious #code #discovered #Red #Hats #tools

Leave a Replay