Secret XZ Backdoor Impacting Linux Systems!

Secret XZ Backdoor Impacting Linux Systems!

What is happening?

XZ Utils is a collection of free lossless data compression utilities, including the xz command. These are primarily used in Linux and Unix-like operating systems. They employ the LZMA compression algorithm, known for its high compression ratio and rapid decompression.

The LZMA (Lempel-Ziv-Markov chain Algorithm) is a high-efficiency compression algorithm. Its impressive compression ratio and swift decompression make it particularly suited for software distribution and data storage.

In version 5.6.0 and later of xz, malicious code was found in the upstream tarballs. During the liblzma build process, a prebuilt object file is extracted from a camouflaged test file in the source code, through a series of intricate obfuscations. This file is then used to alter specific functions within the liblzma code. Consequently, a modified liblzma library is produced, which can be utilized by any software linked to it. This library can intercept and alter the data interaction.

How this happened?

The malicious injection found in xz versions 5.6.0 and 5.6.1 libraries is concealed and only fully included in the download package. The Git distribution lacks the M4 macro that triggers the build of this malicious code. However, the second-stage artifacts needed for the injection during the build time are present in the Git repository, if the malicious M4 macro is available.

This malicious build affects the authentication process in sshd via systemd. SSH, a protocol often used for remote system connections, and sshd, the service that permits access, could be compromised. Under particular conditions, this interference could potentially enable a malicious actor to bypass sshd authentication and gain unauthorized remote access to the entire system.

About this type of vulnerabilities

Embedded Malicious Code, also known as CWE-506, refers to the practice of inserting harmful code into a software system. This code, often hidden or disguised within the software, executes unintended functions that can compromise the security of the system.

It can lead to a range of issues, including data breaches, unauthorized access, or even complete takeover of the system. In this case, the malicious code was embedded within the XZ Utils, which then altered the authentication process of sshd, potentially allowing unauthorized access to the system.

This type of vulnerability highlights the importance of thorough security auditing and code review, as well as the use of trusted sources for software and updates.

What should you do?

  • Immediately stop using the impacted distributions like Fedora 40 as recommended by RedHat.
  • Downgrade XZ Utils to an uncompromised version such as XZ Utils 5.4.6 Stable as recommended by the Cybersecurity and Infrastructure Security Agency (CISA).
  • Conduct a thorough investigation to hunt for any malicious activity in your system.
  • Report any positive findings of malicious activity to CISA.
  • Reach out to your vendors and third-party providers to ask about the steps they’ve taken to mitigate the risks related to this vulnerability.
  • If you are an administrator, contact your security team for further recommendations.
  • Regularly update your system software from trusted sources to avoid such vulnerabilities.
  • Conduct frequent security audits and code reviews to identify any hidden malicious code.

Read more about it


🔥 Don't Forget to subscribe to my newsletter!

👋 Let's Connect on LinkedIn

Djalal Harouni

Open Source Software Hacker | BPF | Linux kernel | Cloud Security at Isovalent Cisco

9mo

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics