A critical security breach has been identified in the xz compression utility’s liblzma library, leading to a significant compromise of SSH server security across various Linux distributions.
The xz format is ubiquitous across Linux distributions, serving as a general-purpose tool for compressing and decompressing large files.
The backdoor, which was first detected in Debian sid installations, has been traced back to the upstream xz repository, affecting versions 5.6.0 and 5.6.1 of the xz package.
Microsoft developer Andres Freund initially observed unusual system behavior, such as excessive CPU usage during SSH logins and Valgrind errors, which led to the discovery of the backdoor.
The compromised code was found solely in the distributed tarballs, not in the upstream source, indicating a deliberate and targeted attack on the supply chain.
Red Hat has issued an urgent security alert for Fedora 41 and Fedora Rawhide users, advising immediate cessation of use until the xz version can be downgraded.
The affected versions, xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm, were present in Fedora Linux 40 beta, but the actual malware exploit has not detected in the stable release.
Fedora Rawhide, the development distribution for future Fedora builds, is also impacted and will be reverted to the safe xz-5.4.x versions
Download Free CISO’s Guide to Avoiding the Next Breach
Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.
- Understand the importance of a zero trust strategy
- Complete Network security Checklist
- See why relying on a legacy VPN is no longer a viable security strategy
- Get suggestions on how to present the move to a cloud-based network security solution
- Explore the advantages of converged network security over legacy approaches
- Discover the tools and technologies that maximize network security
Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.
Download Perimeter 81 Free PDF Guide
The Red Hat community ecosystem, specifically Fedora 40 and Fedora Rawhide, are the only known affected distributions within their purview.
However, the injections have been successfully built in xz 5.6.x versions for Debian unstable (Sid), and other distributions may also be at risk. Red Hat has assigned the issue CVE-2024-3094 and is actively working on patches to secure affected systems.
Alex Matrosov recently tweeted about the vulnerabilities in existing solutions that are missing transitive statically linked dependencies and cannot detect such attacks.
The backdoor discovered in the upstream xz/liblzma library leads to SSH compromise by introducing malicious code that can be used by any software linked against the compromised liblzma library.
This includes OpenSSH, which uses the library for compression during SSH sessions. The backdoor was ingeniously inserted into the xz/liblzma library in a way that allowed it to escape detection during routine security audits, making it a particularly stealthy threat.
The vulnerability arises when the compromised version of xz/liblzma is used to compress or decompress files, which is a common operation in SSH communications.
The backdoor can be triggered during this process, providing attackers with a way to execute arbitrary code on the server.
This could potentially allow unauthorized access to the server, the execution of commands, or even the escalation of privileges to gain complete control over the system.
The backdoor was only present in the distributed tarballs and not in the upstream source code repository, indicating a targeted attack on the supply chain.
The malicious code was hidden through a series of complex obfuscations, where the liblzma build process extracts a pre-built object file from a disguised test file in the source code.
This results in a modified liblzma library that, when used by software like OpenSSH, compromises the security and integrity of SSH servers
The backdoor’s functionality appears to be limited to glibc-based systems, and fortunately, the compromised xz versions have not been widely integrated by Linux distributions, mostly appearing in pre-release versions.
The injected code causes logins via SSH to become significantly slower, and during a pubkey login, the exploit code is invoked, redirecting RSA_public_decrypt to the backdoor code.
A detection script has been developed by Codenotary to detect the backdoor, and system administrators are encouraged to run it on their systems. The script checks for the presence of the backdoor by examining the liblzma library used by sshd.
If the backdoor code is found, the system is likely vulnerable and should be updated immediately
RedHat has reported an urgent security alert for users of Fedora Linux 40 and Fedora Rawhide.
The alert pertains to critical security vulnerabilities identified in these systems and requires immediate attention.
Fedora Linux 40 builds have not been confirmed compromised; however, caution dictates that users should downgrade to the xz-5.4.x builds as a preventive measure.
An update facilitating this reversion has been published and is accessible through the standard update system.
Users can expedite the update process by following the instructions provided at the Fedora update portal: FEDORA-2024-d02c7bb266.
If you are operating a system within the affected distributions, it is imperative to halt usage immediately and downgrade your xz libraries to a secure version.
Users are encouraged to monitor official channels for the latest advisories.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
