Red Hat Issues Urgent Security Alert for Fedora Users Over Malicious Code in XZ Utils
Red Hat released a critical security notice on Friday, cautioning users about the discovery of malicious code within specific versions of XZ Utils, a widely used data compression software suite. The alert specifically targets users of certain Fedora Linux distributions, urging an immediate cessation of Fedora Rawhide usage for both work and personal tasks.
Malicious Code Detection
The concerning security flaw, identified as CVE-2024-3094, affects versions 5.6.0 and 5.6.1 of XZ Utils. This vulnerability could potentially allow unauthorized system access. XZ Utils is integral to numerous Linux distributions, assisting in the compression of large files for easier distribution and sharing.
Affected Fedora Versions
Red Hat’s alert highlighted that Fedora 41 and Fedora Rawhide versions are at risk within its ecosystem. Users of Fedora Linux 40 might also be exposed to version 5.6.0 of XZ Utils, depending on when they last updated their systems. Meanwhile, Fedora Rawhide might contain either of the compromised versions.
Mitigation Measures
Red Hat plans to revert Fedora Rawhide to the safer XZ Utils version 5.4.x, post which users can safely redeploy Fedora Rawhide instances. Although Fedora Linux 40 builds are currently not considered compromised, downgrading to a 5.4 version is recommended as a precaution.
Other Distributions
While Red Hat Enterprise Linux remains unaffected, the advisory mentioned successful malicious injections in XZ Utils versions built for Debian’s unstable branch (Sid), suggesting that other distributions might be vulnerable too. Debian’s communication confirmed that its stable versions are safe, but advised users of its testing and unstable branches to update their XZ Utils packages promptly.
Advisory Details
The embedded malicious code could theoretically enable remote attackers to bypass sshd authentication, gaining unauthorized system access. The compromised code, present only in the full download package of the affected XZ Utils versions, is notably absent from the Git distribution. This injection could tamper with sshd authentication via systemd, impacting SSH protocol usability, which is commonly employed for remote system connections.
CISA’s Response
The Cybersecurity and Infrastructure Security Agency (CISA) also addressed this issue, recommending users and developers to downgrade to a secure version of XZ Utils, such as 5.4.6 Stable. CISA urges the community to remain vigilant for any signs of malicious activity and to report any findings directly to them.
Red Hat and CISA’s guidance aims to mitigate potential risks posed by this vulnerability, underscoring the importance of prompt action to secure affected systems and maintain the integrity of Linux distributions.
