Beware Backdoor found in XZ utilities used by many Linux distros CVE20243094 Help Net Security

pTwo stories have been published since this initial releaseppppA vulnerability CVE20243094 in XZ Utils the XZ format compression utilities included in most Linux distributions may enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely Red Hat warnsppppThe cause of the vulnerability is actually malicious code present in versions 560 released in late February and 561 released on March 9 of the xz libraries which was accidentally found by Andres Freund a PostgreSQL developer and software engineer at MicrosoftppAfter observing a few odd symptoms around liblzma part of the xz package on Debian sid installations over the last weeks logins with ssh taking a lot of CPU valgrind errors I figured out the answer The upstream xz repository and the xz tarballs have been backdoored he shared via the osssecurity mailing listppAccording to Red Hat the malicious injection in the vulnerable versions of the libraries is obfuscated and only included in full in the download package ppThe Git distribution lacks the M4 macro that triggers the build of the malicious code The secondstage artifacts are present in the Git repository for the injection during the build time in case the malicious M4 macro is present they added ppThe resulting malicious build interferes with authentication in sshd via systemdppThe malicious script in the tarballs is obfuscated as are the files containing the bulk of the exploit so this is likely no accident ppGiven the activity over several weeks the committer is either directly involved or there was some quite severe compromise of their system Unfortunately the latter looks like the less likely explanation given they communicated on various lists about the fixes for errors caused by the injected code in v560 Freund commentedppLuckily xz 560 and 561 have not yet widely been integrated by Linux distributions and where they have mostly in prerelease versionsppRed Hat says that the vulnerable packages are present in Fedora 41 and Fedora Rawhide and have urged users of those distros to immediately stop using themppIf you are using an affected distribution in a business setting we encourage you to contact your information security team for next steps they said and added that no versions of Red Hat Enterprise Linux RHEL are affectedppSUSE has released a fix for openSUSE usersppDebian says no stable versions of the distro are affected but that compromised packages were part of the Debian testing unstable and experimental distributions and users of those should update the xzutils packagesppThe malicious code found in the latest versions of the xz libraries show just how critical it is to have a vigilant and veteran Linux security team monitoring software supply chain channels Vincent Danen VP Product Security at Red Hat told Help Net Security ppRed Hat along with CISA and other Linux distributions were able to identify assess and help remediate this potential threat before it posed a significant risk to the broader Linux communityppCISA has advised developers and users to downgrade XZ Utils to an uncompromised version eg XZ Utils 546 Stable and to hunt for any malicious activity and report any positive findings to the agencyppppUPDATE Friday March 29 1506 ETppKali Linux announced that this vulnerability affected Kali between March 26th and March 29th during which time xzutils 56002 was available ppIf you updated your Kali installation on or after March 26th but before March 29th it is crucial to apply the latest updates today to address this issue However if you did not update your Kali installation before the 26th you are not affected by this backdoor vulnerability the maintainers saidppppp