A serious supply chain attack has been discovered affecting the widely used XZ data compression utility on Linux. Red Hat has issued an urgent warning for users to immediately stop using systems running Fedora 41, Fedora Rawhide, and other distros that bundle the compromised XZ 5.6.0 and 5.6.1 versions.
The backdoor, which Red Hat is tracking as CVE-2024-3094 with a critical 10/10 severity rating, allows remote code execution by interfering with the sshd authentication process via systemd. SSH is one of the primary ways to remotely access Linux systems, so the implications of this vulnerability are severe.
How the Backdoor Works
The malicious code was inserted into XZ versions 5.6.0 and 5.6.1 by a developer named Jia Tan, who had committed over 700 changes to the XZ codebase since gaining push access in January 2023. The backdoor is obfuscated and only present in the complete XZ download packages, not the public Git repository.
During the build process, the malicious macro triggers injection of second-stage artifacts that interfere with sshd authentication handoff to systemd. Red Hat warns “Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.”
Not Just Fedora Affected
While Red Hat’s initial warning was for Fedora users, the backdoored XZ versions appear to have made their way into other major Linux distributions as well. Debian has confirmed the compromised packages were included in their unstable, testing, and experimental branches and has reverted to the upstream 5.4.5 release.
Other distros like Ubuntu may also be impacted depending on which XZ version they bundle. Linux admins and users should immediately check their installed XZ version by running ‘xz -V’ in a terminal. Versions 5.6.0 and 5.6.1 are compromised and need to be downgraded urgently.
Implications and Remediation
The fact that the backdoor was added by a long-time trusted contributor with deep XZ codebase knowledge is very concerning. As noted in the Debian advisory, simply reverting to 5.4.5 may not be sufficient because Tan’s hundreds of prior commits could theoretically contain other stealthy backdoors or vulnerabilities.
The advisory recommends distros revert all the way back to XZ 5.3.1, the latest version before Tan’s involvement began in 2022. This is a major undertaking, as it throws away over a year of community development work that would need comprehensive review and re-integration of security fixes.
Another option would be an extremely thorough line-by-line audit of Tan’s contributions to identify and revert any malicious changes, while preserving legitimate code updates and enhancements. Either path forward will be enormously time and resource intensive for XZ maintainers and downstream Linux vendors.
In the interim, CISA has advised all XZ users to expedite downgrading to an uncompromised version like 5.4.6 and perform thorough system monitoring and hunting for signs of malicious activity or unauthorized access.
Bottom Line
This is yet another sobering example of how supply chain attacks against core open source components can open the door to catastrophic compromises across the software ecosystem. The XZ backdoor reveals how letting your guard down even briefly with a single bad actor can completely undermine the security of what was intended to be a trusted and hardened codebase.
Linux distros, companies, and individual users must remain hyper-vigilant about meticulously vetting every line of code and every single contributor - no matter their reputation or tenure with the project. The alternatives of widespread systemic compromise or impossibly difficult remediation efforts are unacceptable risks we cannot afford to take.