Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor

Urgent security alerts issued as malicious code was found embedded in the XZ Utils data compression library used in many Linux distributions.

Linux Vulnerability: CVE-2024-3094

Major Linux distributions have been impacted by a supply chain attack involving backdoored versions of the XZ Utils data compression library.

Microsoft software engineer Andres Freund, who discovered the backdoor, explains that the malicious code was introduced in the tarball download package in XZ Utils version 5.6.0 released in February 2024.

Version 5.6.1 was released shortly after with updated malicious code that included additional obfuscation and fixes for errors occurring in some configurations.

The code was designed to execute at the end of a script and modify the liblzma library, which is part of the XZ Utils package, to provide unauthenticated access to the system. Red Hat tracks the issue as CVE-2024-3094, with a CVSS score of 10/10.

“Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library,” Red Hat explains.

The backdoor interferes with authentication in sshd via systemd, tapping into the service that allows remote access to systems over the SSH protocol, potentially allowing attackers to break sshd authentication and gain access to the system.

“As attackers continue to evolve and vulnerabilities by design are becoming more of a norm, the CVE-2024-3094-xz supply chain attack only raises more red flags to ensure the perimeter is secured,” Dor Dali, Head of Security Research at Cyolo, told SecurityWeek.

“The vulnerability exposed a critical security risk, that ultimately grants attackers the ability to circumvent authentication protocols and access entire systems remotely,” Dali said. “The malicious code found shows how critical it is for organizations to follow best practices, including avoiding the exposure of SSH directly to the internet and implementing additional security measures.”

Advertisement. Scroll to continue reading.

To date, the Linux distributions to have confirmed impact from the attack include Fedora Rawhide and Fedora Linux 40 beta (but not Red Hat Enterprise Linux), openSUSE Tumbleweed and openSUSE MicroOS, Kali Linux, and Arch Linux.

Debian and Ubuntu announced that no stable release included the backdoored packages, and Amazon Linux, Alpine Linux, Gentoo Linux, and Linux Mint are not affected.

Software supply chain company Binarly has released a free backdoor detector called XZ.fail that includes generic IFUNC implantation detection with close to zero false-positives. Binarly’s detection is based on behavioral analysis and can detect any invariants automatically if a similar backdoor is implanted somewhere else.

In addition, other security researchers have released a script that allows users to scan their systems to determine if they are using the malicious library.

A command line tool for compressing/decompressing .xz files, XZ Utils is used not only in various Linux distributions, but also as a dependency for other libraries, and this supply chain attack has wide implications.

“OpenSSH runs on almost 20 million IPs as of today, and is almost 10 times more prevalent than RDP (Remote Desktop Protocol). Had somebody successfully introduced a widely deployed backdoor, it would have been bad later,” security researcher Kevin Beaumont notes.

To hide itself, the backdoor uses a multi-stage loader, as well as a function that allows for updates to be deployed via additional files, so that the original XZ code changes remain intact.

The backdoor was introduced by Jia Tan, who became XZ Utils’ maintainer last year. His GitHub account, JiaT75, had contributed to other compression-related libraries as well.

After reducing the security protections on the project in late 2023 and updating the URL for the project to GitHub pages, Jia Tan modified the library to include the malicious code in early 2024. The threat actor also made a request to become a Linux kernel module maintainer for XZ Embedded.

According to Lasse Collin, the project’s original author, however, Jia Tan only had access to the GitHub repository, but not to the project’s website, Git repositories, and related files. GitHub has suspended both Collin’s and Tan’s accounts.

“It’s important to note that the attackers didn’t need to commit the malicious code to the public repository. Modifying the release tarball hosted on GitHub and used by Linux distros to build packages would have been sufficient. Committing the code was likely done to make the tarball changes appear less suspicious,” Coinspect CEO and founder Juliano Rizzo notes.

Because the malicious code was included in XZ Utils versions 5.6.0 and 5.6.1, reverting the affected packages to use the 5.4.x versions of the library eliminates the backdoor. XZ Utils 5.4.6 is the latest stable, uncompromised iteration.

The US cybersecurity agency CISA advised developers and users to downgrade XZ Utils to a clean version and to check their systems for any malicious activity.

Related: Watch: Supply Chain and Third Party Risk Summit 2024

Related: Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App

Related: Researchers Flag ‘Significant Escalation’ in Software Supply Chain Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.