Critical security vulnerability: Backdoor in XZ for Linux
BSI warns with level 3 / orange:
The open source provider Red Hat announced on March 29, 2024 that malicious code has been discovered in versions 5.6.0 and 5.6.1 of the "xz" tools and libraries , which makes it possible to bypass authentication in sshd via systemd. The vulnerability has been published as CVE-2024-3094.
Recommendation and measures:
Measures IT security managers should stop using Fedora 41 and Fedora Rawhide immediately. xz itself should be reverted to an older, stable version such as 5.4.6. SUSE has published a downgrade procedure. Even when using other distributions, it is recommended not to upgrade to xz versions 5.6.x or to revert to the secure versions.
ALERT: Backdoor in xz library compromises SSH connections
The attack was apparently planned long in advance. A possible state actor hid a backdoor in the liblzma library.
The security community is alarmed: As a developer discovered rather by chance - he was researching the cause of mysterious performance problems with SSH connections - there is a backdoor in the liblzma library. Although the major Linux distributions gave the all-clear for their stable versions, the backdoor was still present in various Linux versions, unstable versions and in the Homebrew tool collection for macOS. However, it is not necessarily exploitable there.
The "liblzma" library is certainly not one of the best-known collections of functions for open operating systems - it is used to process packed files in xz format. Nevertheless, it is an inseparable part of every Linux distribution based on systemd, as the system service uses the library. Various package formats such as .deb and Fedora RPMs also use the xz packer to compress package data.
As the discoverer Andres Freund found out, the backdoor can only be found in the source code packages for various liblzma versions, i.e. it cannot be found in the project's Git repository. What exactly the backdoor does and whether it is already being actively exploited by attackers is still unclear at the moment. However, the author is known, a developer named "Jia Tan", who was a very active contributor to the liblzma project along with several other - possibly fake - developer accounts.
The alleged conspiracy exerted strong pressure on the main developer of liblzma in June 2022 to leave the project in "more active hands", which then happened. In February of this year, Jia Tan then hid the well-disguised backdoor, which presumably weakens or disables the authentication function of OpenSSH. The backdoor only activates when it detects the program name "/usr/sbin/sshd". At the moment there is no complete analysis of the backdoor code, but the editors are following up the analysis. There is an FAQ about the xz backdoor on Github. There is also already a CVE ID for the backdoor: CVE-2024-3094.
The major Linux distributions Debian, Ubuntu and Fedora have only delivered the malicious code in their test versions, such as Debian Sid, and have reverted to secure versions. To be on the safe side, Fedora is also calling on users of version 40 to update. The macOS package manager Homebrew, however, also used the Trojanized version of the xz tools in various applications - the developers have also rolled back to a secure version here.
Kali, Arch and others affected
The pentesting Linux Kali and Arch Linux are also warning users about backdoors in current versions of their distributions and urging them to update quickly. Other distributions are taking a similar approach, such as Gentoo, which recommends downgrading to an unaffected package version. Other distributions are likely to follow - administrators will have to keep an eye on developments in their favorite Linux flavor over the Easter weekend. Presumably, the backdoor was not exploitable or even active in many of these cases, because various circumstances have to come together for this to happen. Nevertheless, users are well advised to install available updates as soon as possible, especially because the functionality of the backdoor is not yet fully understood. The backdoor finder has written a bash script to find a potentially vulnerable liblzma version on its own system. Although it does not offer complete security, it does provide a first clue.
Meanwhile, the security scene is still on the alert. The fact that an unknown person can take control of an open source project with the help of possibly fake henchmen and inject malicious code highlights the precarious situation of many projects, especially smaller ones. The fact that a single project participant is responsible for the entire program code and does so on a voluntary basis is not unusual, but it is a potentially harmful situation.
(Editor's note: The situation surrounding the liblzma vulnerability is developing very quickly and is currently very confusing. We will update this report over the next few hours to include a second report should there be any further developments).
Found on https://www.heise.de/news/Hintertuer-in-xz-Bibliothek-gefaehrdet-SSH-Verbindungen-9671317.html