Red Hat Warns Fedora Linux 40/41 and Rawhide Users About Critical Security Flaw

A backdoor was discovered in the upstream xz/liblzma package leading to SSH server compromise and other GNU/Linux distributions are affected as well.
Red Hat Fedora Flaw

Red Hat has issued an urgent security alert today for Fedora Linux 40, Fedora Linux 41, and Fedora Rawhide users about a security flaw (CVE-2024-3094) in the XZ Utils 5.6.0 and 5.6.1 packages that could allow unauthorized remote access via SSH.

It would appear that the upstream tarballs of the XZ Utils 5.6.0 package, which is distributed via GitHub or the project’s official website, included some extra .m4 files that contained instructions for building the software with a version of GNU Automake that did not exist in the repository.

During the compilation of the liblzma library, a prebuilt object file is extracted from one of the test archives and used to modify specific functions in XZ Utils’ code. Since the liblzma library is being used by software like sshd, it could be used by a malicious actor to gain remote access to the vulnerable system.

“The resulting malicious build interferes with authentication in sshd via systemd,” reads the security advisory. “Under the right circumstances, this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.”

Red Hat warns users of Fedora Linux 40 beta, Fedora Linux 41 (pre-alpha), and Fedora Rawhide users to stop using their systems for business or personal use. Fedora Linux 41 and Fedora Rawhide systems already include the affected XZ packages, but it also looks like these were supplied to Fedora Linux 40 beta users earlier today.

For Fedora Linux 40 beta users, there’s an update that reverts the XZ package to version 5.4.x and it should become available to users through the normal update system. To force the update, you should run the command below in a terminal emulator or follow the instructions from here.

sudo dnf upgrade --refresh --advisory=FEDORA-2024-d02c7bb266

While Fedora users may be affected, Red Hat says that this security flaw doesn’t affect any of the Red Hat Enterprise Linux releases. Other GNU/Linux distributions that ship with XZ Utils 5.6.0 or later versions should be affected as well, but none of the known stable distros include these newer XZ Utils versions.

The good news for Fedora Linux 40 beta users is that the live ISO images come with XZ 5.4.6, which is not affected by this issue. However, the bad news is that the newer XZ 5.6.0 update will be installed automatically if you update your installation, so please do NOT update your installations if you have XZ 5.4.6.

If you have XZ 5.6.0 installed (check with sudo dnf list --installed xz), the command above now works for Fedora Linux 40 beta systems and will downgrade the package to version 5.4.6, deleting version 5.6.0 from your system. At the moment of writing, XZ 5.6.0 is no longer offered as an update to Fedora Linux 40 beta users.

I should also note the fact that this vulnerability affects only 64-bit (x86_64) systems. Moreover, you should keep in mind that your SSH daemon (sshd) needs to be reachable from the Internet for this exploit to work.

Andres Freund explains in detail here how this vulnerability affects your system, which he tested on Debian Sid (Unstable). Red Hat also said that users of openSUSE distributions are affected as well and that SUSE already published a downgrade procedure here for those who installed the vulnerable XZ package.

Kali Linux users have been affected by this vulnerability between March 26th and March 29th. Offensive Security now also warns Kali Linux users to update their installation as soon as possible to apply the latest patches if they’ve updated their systems on or after March 26th.

There’s now a script created by Vegard Nossum that checks your system to see if the ssh binary is vulnerable or not. You can download it from here and use it with the sh detect_sh.bin command in a terminal window. Like this!

Now, the openSUSE Project issued a statement regarding the vulnerability found in the XZ compression library and how it is addressed in the openSUSE Tumbleweed and openSUSE MicroOS distributions. According to the statement, Tumbleweed and MicroOS users had the compromised XZ 5.6.1 package installed in their systems from March 7th until March 28th when the openSUSE Project did a rollback to XZ 5.4.

Richard W.M. Jones, a computer programmer working at Red Hat, states that the author of the backdoor has been part of the XZ Utils project for 2 years, “adding all sorts of binary test files”, and that he was in communication with him over several weeks trying to get XZ 5.6.x added to Fedora Linux 40 and Fedora Linux 41 as it contains “great new features”.

Arch Linux devs also issued a security advisory stating that “the malicious code path does not exist in the arch version of sshd, as it does not link to liblzma.” Arch Linux users are advised to update to xz 5.6.1-2 and avoid the vulnerable code in their systems as “it could be triggered from other, unidentified vectors.”

Update 30/03/2024: GitHub has disabled the repository of the XZ Utils project with the following statement: “Access to this repository has been disabled by GitHub Staff due to a violation of GitHub’s terms of service. If you are the owner of the repository, you may reach out to GitHub Support for more information.”

In addition, the project’s homepage (xz.tukaani.org) was disabled too since it was also hosted by GitHub. One of the developers, Lasse Collin, also issued a statement saying that Jia Tan created and signed the malicious tarballs for XZ Utils.

As of 9:00 am ET on March 30th, 2024, the information presented in this article is accurate. I’ll update this blog post if there will be updates to this situation.

Last updated 2 weeks ago

Buy Me a Coffee at ko-fi.com