Red Hat has issued an urgent security alert today for Fedora Linux 40, Fedora Linux 41, and Fedora Rawhide users about a security flaw (CVE-2024-3094) in the XZ Utils 5.6.0 and 5.6.1 packages that could allow unauthorized remote access via SSH.
It would appear that the upstream tarballs of the XZ Utils 5.6.0 package, which is distributed via GitHub or the project’s official website, included some extra .m4 files that contained instructions for building the software with a version of GNU Automake that did not exist in the repository.
During the compilation of the liblzma library, a prebuilt object file is extracted from one of the test archives and used to modify specific functions in XZ Utils’ code. Since the liblzma library is being used by software like sshd, it could be used by a malicious actor to gain remote access to the vulnerable system.
“The resulting malicious build interferes with authentication in sshd via systemd,” reads the security advisory. “Under the right circumstances, this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.”
Red Hat warns users of Fedora Linux 40 beta, Fedora Linux 41 (pre-alpha), and Fedora Rawhide users to stop using their systems for business or personal use. Fedora Linux 41 and Fedora Rawhide systems already include the affected XZ packages, but it also looks like these were supplied to Fedora Linux 40 beta users earlier today.
For Fedora Linux 40 beta users, there’s an update that reverts the XZ package to version 5.4.x and it should become available to users through the normal update system. To force the update, you should run the command below in a terminal emulator or follow the instructions from here.
sudo dnf upgrade --refresh --advisory=FEDORA-2024-d02c7bb266While Fedora users may be affected, Red Hat states that this security flaw doesn’t affect any of the Red Hat Enterprise Linux releases. Other GNU/Linux distributions that ship with XZ Utils 5.6.0 or later versions should be affected as well, but none of the known stable distros include these newer XZ Utils versions.
The good news for Fedora Linux 40 beta users is that the live ISO images come with XZ 5.4.6, which is not affected by this issue. However, the regrettable aspect is that the newer XZ 5.6.0 update will be installed automatically if you update your installation, so please do not update your installations if you have XZ 5.4.6.
If you have XZ 5.6.0 installed (verify with sudo dnf install xz), the command above now functions for Fedora Linux 40 beta systems and will downgrade the package to version 5.4.6, erasing version 5.6.0 from your system. As of writing, XZ 5.6.0 is no longer being offered as an update to Fedora Linux 40 beta users.
Note that this vulnerability affects only 64-bit (x86_64) systems. Your SSH daemon (sshd) must be accessible via the internet for the exploit to activate.
Andres Freund provides thorough explanation on how this vulnerability influences your system. The vulnerability was tested on Debian Sid (Unstable). Accordingly, Red Hat confirmed that openSUSE distributions are affected too, and SUSE has published a downgrade procedure here for individuals who have installed the susceptible XZ package.
Between the dates of March 26th and March 29th, Kali Linux users were affected by this vulnerability. Offensive Security advises Kali Linux users to urgently update their installations and apply the latest patches if their systems have been updated on or after March 26th.
Vegard Nossum has created a script that checks whether your system’s ssh binary is susceptible or not. It can be downloaded from here. Run this script with the sh detect_sh.bin command in a terminal window.
Now, the openSUSE Project issued a statement regarding the vulnerability found in the XZ compression library and how it is addressed in the openSUSE Tumbleweed and openSUSE MicroOS distributions. According to the statement, Tumbleweed and MicroOS users had the compromised XZ 5.6.1 package installed in their systems from March 7th until March 28th when the openSUSE Project did a rollback to XZ 5.4.
Richard W.M. Jones, a computer programmer working at Red Hat, states that the author of the backdoor has been part of the XZ Utils project for 2 years, “adding all sorts of binary test files”, and that he was in communication with him over several weeks trying to get XZ 5.6.x added to Fedora Linux 40 and Fedora Linux 41 as it contains “great new features”.
Arch Linux devs also issued a security advisory stating that “the malicious code path does not exist in the arch version of sshd, as it does not link to liblzma.” Arch Linux users are advised to update to xz 5.6.1-2 and avoid the vulnerable code in their systems as “it could be triggered from other, unidentified vectors.”
As of 5:40 pm ET on March 29th, 2024, the information presented in this article is accurate. I’ll update this blog post if there will be updates to this situation.
Last updated 17 seconds ago
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
