Malicious backdoor, CVSS 10, slipped onto major Linux distributions

Poisoned Easter eggs for all: Apparent supply chain attack caught mercifully early… 

Malicious backdoor, CVSS 10, slipped onto major Linux distributions

See also our updated story with more details here.

A powerful backdoor with a CVSS rating of 10 made it onto beta releases of major Linux distributions. Red Hat told users on Friday to “please IMMEDIATE STOP USAGE of any Fedora Rawhide instances for work or personal activity” after the code’s behaviour was identified as malicious. 

It has been allocated CVE-2024-3094. The highly sophisticated backdoor was added to the upstream tarballs, or compressed files, of XZ Utils, a data compression tool widely deployed in Linux distributions, in version 5.6.0.

It was only found because it triggered SSH performance issues.

The backdoor was made via a commit that included obfuscated malicious code (never in cleartext, making it hard to spot) that altered the build process, with the malicious code then added during compilation of the liblzma library.

The backdoor was spotted by developer Andres Freund before it hit any production releases of major Linux distros, but made it onto several beta releases; Fedora 40 and Fedora Rawhide; Debian testing, unstable and experimental distributions; and a version of Arch Linux were also affected. openSUSE Tumbleweed and openSUSE MicroOS were impacted between March 7th and March 28th.

Hacker favourite Kali Linux was also exposed, albeit only for three days.

The Kali Linux team said: “The backdoor could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized access to the entire system remotely… the severity of this vulnerability poses a threat to the entire Linux ecosystem.”

Anyone who updated their Kali Linux between March 26 and March 29 should urgently apply the latest update that is now available. 

RHEL, Ubuntu, Amazon Linux et al are not affected.

On Thursday of this week, someone using the developer's name also tried to get Ubuntu to incorporate the code into production versions of the popular enterprise distribution, claiming falsely that it fixed a known bug. 

Security researcher The Grugq said on X that if they’d been successful “the end game would be the ability to login to every Fedora, Debian and Ubuntu box on the internet. If it isn’t a state actor it should be…”

Linux backdoor: XZ Utils tarballs poisoned

Users and distribution maintainers were left scrambling to undo recent updates on Friday as news spread that the xz-utils data compression package, starting from versions 5.6.0 to 5.6.1, was backdoored. 

The US’s CISA said it “recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA.”

The malicious changes were submitted by JiaT75; an XZ Utils developer who has contributed significantly to the project for two years. Ars Technica’s Dan Goodin wrote “with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise.”

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” an official with distributor OpenWall wrote in a detailed advisory

The incident has left security researchers and Linux maintainers assessing early commits by JiaT75

Red Hat wrote: “Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.”

Red Hat’s detailed alert is here. Andres Freund’s analysis is here. More to follow on Saturday.