Red Hat has published an urgent security alert today for Fedora Linux 40, Fedora Linux 41, and Fedora Rawhide users about a security flaw (CVE-2024-3094) in the XZ Utils 5.6.0 and 5.6.1 packages that enables unauthorized remote access via SSH.
Apparently, the upstream tarballs of the XZ Utils 5.6.0 package, distributed via GitHub or the project’s official website, included extra .m4 files that contained instructions for building the software with a version of GNU Automake that did not exist in the repository.
During the liblzma library’s compilation, a prebuilt object file pulled out from one of the test archives is used to modify particular functions in XZ Utils’ code. Given the liblzma library’s use by software like sshd, it can potentially be exploited by a malicious entity to achieve remote access to the vulnerable system.
Red Hat is advising Fedora Linux 40 beta, Fedora Linux 41 (pre-alpha), and Fedora Rawhide users to discontinue using their systems for business or personal use until resolved. Fedora Linux 41 and Fedora Rawhide systems are currently containing the affected XZ packages, and it also appears these were delivered to Fedora Linux 40 beta users earlier today.
Fedora Linux 40 beta users are ought to be informed, an update has been made available which reverts the XZ package to version 5.4.x. This will be provided to users through the conventional update system. For those who wish to expedite the process, the following command can be run in a terminal emulator, or guidance can be sought from here.
While Fedora users might be impacted, Red Hat has clarified that this security flaw doesn’t impact any of the Red Hat Enterprise Linux releases. Other GNU/Linux distributions packaged with XZ Utils 5.6.0 or later versions are also expected to be affected. However, no recognised stable distros encompass these newer XZ Utils versions.
On the brighter note for Fedora Linux 40 beta users, the live ISO images comprise of XZ 5.4.6, which is not affected by the current predicament. Conversely, the not-so-good news is that the more recent XZ 5.6.0 update will be installed automatically when you update your installation. Therefore, please refrain from updating your installations if they currently have XZ 5.4.6.
For those who have XZ 5.6.0 installed (this can be confirmed with sudo dnf install xz), the command as mentioned earlier will now work for Fedora Linux 40 beta systems. This will downgrade the package to version 5.4.6, while eradicating version 5.6.0 from your system. Presently, XZ 5.6.0 is no longer offered as an update to Fedora Linux 40 beta users.
Only 64-bit (x86_64) systems are affected by this vulnerability. Plus, this exploit only works if your SSH daemon (sshd) is reachable from the Internet.
Andres Freund provides comprehensive information on how this vulnerability impacts your system in his detailed analysis. He conducted his tests on Debian Sid (Unstable). Furthermore, Red Hat confirmed that openSUSE distribution users are also vulnerable. SUSE has already released a downgrade procedure, which you can access here if you’ve installed the susceptible XZ package.
From March 26th to March 29th, this vulnerability affected Kali Linux users. Offensive Security cautions users to update their Kali Linux installations as soon as possible if they updated their systems on or after March 26th to apply the most recent patches.
Vegard Nossum has formulated a script to ascertain whether your system’s ssh binary is vulnerable. You can download the script and initiate it in a terminal window with the sh detect_sh.bin command.
The openSUSE Project has made a statement relating to the discovered vulnerability in the XZ compression library. The vulnerability affected the openSUSE Tumbleweed and openSUSE MicroOS distributions. From March 7th to March 28th, these users had the compromised XZ 5.6.1 package in their systems, but the issue was addressed by the openSUSE Project rolling back to XZ 5.4.
Richard W.M. Jones, a computer programmer at Red Hat, comments that the individual responsible for the backdoor has been involved in the XZ Utils project for two years. During this period, he added various binary test files and communicated with Jones for several weeks about adding XZ 5.6.x (with its new and exciting features) to Fedora Linux 40 and Fedora Linux 41.
Arch Linux developers also released a security advisory stating that their version of sshd does not contain the malicious code path since it doesn’t link to liblzma. They advise users to update to xz 5.6.1-2 to avoid any vulnerable code in their systems that could potentially be activated from unidentified vectors.
ColoCrossing excels in providing enterprise Colocation Services, Dedicated Servers, VPS, and a variety of Managed Solutions, operating from 8 data center locations nationwide. We cater to the diverse needs of businesses of any size, offering tailored solutions for your unique requirements. With our unwavering commitment to reliability, security, and performance, we ensure a seamless hosting experience.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@colocrossing.com.
