Red Hat Warns of Malware Code Embedded in Popular Linux Tool Allow Unauthorized Access to Systems

Red Hat has issued a critical security warning regarding malicious code discovered in recent versions of the “xz” compression tools and libraries.

Tracked as CVE-2024-3094, this highly sophisticated supply chain compromise could allow threat actors to bypass authentication and gain unauthorized remote access to affected Linux systems.

The xz utility is a fundamental data compression format present in almost every commercial and community Linux distribution.

It is primarily used to compress large files into smaller sizes for efficient transfer. Security researchers discovered that malicious code was quietly injected into versions 5.6.0 and 5.6.1 of the xz utility.

The attackers utilized sophisticated obfuscation techniques to hide their tracks. The malicious code is not clearly visible in the primary Git repository.

Instead, it is triggered by an obfuscated M4 macro that is only included in the full distribution download package. During the software build process, this hidden macro compiles second-stage artifacts that alter the library’s functionality.

Once installed on a system, the compromised build directly interferes with authentication processes in sshd via systemd.

Secure Shell (SSH) is the standard protocol for remote system management, and this interference allows malicious actors to break authentication checks, ultimately gaining full, unauthorized remote access to the machine.

Affected Linux Distributions

Red Hat has confirmed that no versions of Red Hat Enterprise Linux (RHEL) are affected by this vulnerability. Within the Red Hat ecosystem, the compromised packages are isolated to Fedora Rawhide and the Fedora Linux 40 beta.

Fedora Rawhide users may have installed either version 5.6.0 or 5.6.1. At the same time, Fedora 40 beta environments were exposed to version 5.6.0 through recent update cycles.

While Red Hat notes that the malicious code injection does not appear to have successfully executed in the Fedora 40 builds, the presence of the compromised libraries still poses a significant risk.

Beyond Red Hat, other community distributions are also dealing with this threat. Evidence shows the injected code successfully built in Debian unstable (Sid) and several openSUSE distributions.

System administrators must take immediate action to secure their environments. Red Hat strongly advises users to completely halt all usage of Fedora Rawhide instances for both work and personal activities until the system is fully reverted to the safe xz-5.4.x version.

For Fedora Linux 40 beta users, an emergency update has been published to force a downgrade to 5.4. x build. Users of openSUSE and Debian should consult their specific distribution maintainers for immediate downgrade procedures.

Security teams must actively audit their infrastructure for xz versions 5.6.0 and 5.6.1 and replace them without delay to prevent potential network breaches.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.