Dive Brief:
- Red Hat disclosed the discovery of malicious code in the latest versions of XZ Utils that could be exploited by threat actors to gain unauthorized access, the open source software vendor said in a Friday blog post. The data compression software utility is used in most Linux distributions.
- Fedora Linux 40 beta builds 5.6.0 and 5.6.1 contain two affected versions of xz libraries, Red Hat said in a Saturday update. There is no evidence of active exploitation but users should downgrade to a 5.4 build of the software to mitigate potential compromises, the company said.
- The Cybersecurity and Infrastructure Security Agency on Friday urged users and developers to downgrade to an uncompromised version, search for any malicious activity and report findings back to the agency. The critical vulnerability is listed as CVE-2024-3094, with a CVSS score of 10.
Dive Insight:
Security researchers say the effort to install a malicious backdoor could have resulted in severe impacts on the open source ecosystem and the larger security community.
Andres Freund, a principal software engineer at Microsoft, originally discovered the threat by happenstance and disclosed his findings. Freund, in a post on Mastodon, said he noticed sshd processes were using large amounts of CPU despite failing because of the wrong usernames.
Red Hat said the malicious build was designed to interfere with authentication in the OpenSSH server process sshd via systemd.
“Linux is extremely popular and widely used by companies across the globe,” Jagat Parekh, group director of software engineering at Synopsys Software Integrity Group, said via email. “The impact of this stealth backdoor issue could be widespread if companies don’t patch immediately.”
Red Hat released additional information following initial reports of elevated concerns. Analysts say a major crisis appears to have been averted, but precautions are encouraged due to the severity of the threat.