Recently, a hidden backdoor was discovered in the XZ compression utility, a widely used tool in most Linux distributions. This malicious code poses a significant threat to the software supply chain by potentially allowing unauthorized access to SSH services.
The backdoor was found by Microsoft engineer Andres Frowund, who reported the issue to the company Openwall, known for developing Linux distributions. The malicious .M4 files added to XZ version 5.6.0 contained instructions that modified the functions of the LibLZMA compression library, enabling unauthorized access.
These modifications in LibLZMA could lead to compromising SSHD, as many Linux distributions include Libsystemd, a critical component responsible for activating Systemd notifications. The malicious .M4 files were intentionally obfuscated to conceal their harmful functions and were added by an active participant in the XZ project for two years.
Frowund speculated that the developer responsible for the backdoor was either directly involved in its creation or had compromised security on their system. The changes made in XZ versions 5.6.0 and 5.6.1, purportedly to fix Valgrind errors and prevent crashes, were actually intended to implement the backdoor.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the backdoor, tracked as CVE-2024-3094 and rated with a CVSS score of 10, urging developers and users to revert to safe XZ versions like 5.4.6.
Frowund mentioned that XZ versions 5.6.0 and 5.6.1 have not been widely adopted by Linux distributions yet, primarily existing in early versions. In response to the security threat, Red Hat issued an urgent warning advising users to refrain from using Fedora Rawhide due to the potential compromise through XZ and recommended a rollback to Fedora Linux 40 using XZ 5.4.