Red Hat, a leading provider of open-source solutions, has released an urgent security alert regarding a backdoor compromise in two versions of the XZ Utils data compression library. The security vulnerability, identified as CVE-2024-3094, has been flagged with a maximum severity CVSS score of 10.0, indicating a critical threat level.
The malicious code present in XZ Utils versions 5.6.0 and 5.6.1 allows unauthorized remote access, posing significant risks to system security. One of the primary concerns is the interference with the sshd daemon process for SSH, potentially opening the door for malicious actors to gain unauthorized access to systems.
The discovery of this backdoor compromise was credited to Microsoft security researcher Andres Freund, who identified nefarious code introduced on GitHub by a user known as Jia Tan. In response to the security breach, Microsoft-owned GitHub has taken swift action by disabling the XZ Utils repository maintained by the Tukaani Project for violating terms of service.
Fortunately, there have been no reported instances of active exploitation in the wild. However, the compromised packages have been identified in Fedora 41 and Fedora Rawhide distributions. As a precautionary measure, users are advised to downgrade XZ Utils to an uncompromised version following an alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Various Linux distributions, including Fedora, have been affected by this supply chain attack. Notably, Red Hat Enterprise Linux, Debian Stable, Amazon Linux, and SUSE Linux Enterprise and Leap have been confirmed to be unaffected. It is essential for users to remain vigilant and take immediate action to mitigate the risks posed by this security threat.