Red Hat raises alarm of malicious code in Fedora 'xz' library - Act ASAP
Take action: If you are using Fedora 40/41, Debian unstable, Kali or openSUSE downgrade your xz library to xz-5.4.x version immediately. For users of homebrew on Linux/Mac, update and upgrade homebrew on your computer. This is going to be a potentially difficult effort depending on number of devices running vulnerable versions of Linux. But it can't and mustn't be avoided.
Learn More
Red Hat is raising an alarm for users of Fedora Linux, specificically version 40 and the Fedora Rawhide development distribution, about a critical security flaw found in versions 5.6.0 and 5.6.1 of the xz compression tools and libraries.
XZ Utils is a collection of tools and libraries for XZ data compression, similar to gzip and bzip2 but with a higher compression ratio. It includes the xz command-line tool for compressing and decompressing files and the liblzma library, providing a zlib-like API for developers. The liblzma library not only supports XZ data compression but also the legacy LZMA format, making it a versatile tool for software developers and system administrators.
The vulnerability, tracked as CVE-2024-3094 (CVSS score 10) involves malicious code that could potentially grant unauthorized system access. The malicious code, which affects the sshd's authentication process via systemd, is crafted to allow an attacker to circumvent sshd authentication and possibly gain remote access to the system.
This vulnerability stems from a supply chain attack, where the malicious code was directly inserted into the xz source code, a method of attack that's particularly challenging to detect and prevent.
The affected distributions include
- Fedora Linux 41,
- Fedora Rawhide,
- Fedora 41,
- Debian's testing, unstable, and experimental distributions
- openSUSE Tumbleweed and MicroOS,
- Kali Linux.
- Distributions confirmed not to be affected are Red Hat Enterprise Linux (RHEL), Debian stable versions, Amazon Linux, and SUSE Linux Enterprise and Leap.
Fedora Rawhide users are strongly advised to halt any use of the distribution for both personal and work-related activities immediately until a fix is applied. Red Hat's proposed solution involves reverting Fedora Rawhide to the xz-5.4.x version, which is deemed safe. Although there's no confirmation that Fedora Linux 40 builds are compromised, a downgrade to the xz version 5.4 is recommended as a precaution.
An official update to revert xz to version 5.4.x has been issued for Fedora Linux 40 users, available through the standard update mechanisms. Instructions for expedited updates have been provided by Red Hat. The macOS Homebrew package manager also took precautionary measures to downgrade its version of xz in response to the discovery of this backdoor.
All users of the affected xz versions are urged to update their systems or downgrade to a secure version of the xz utilities to mitigate the risk posed by this vulnerability.
