ALERT: Linux XZ Utils and SSH Backdoor
Tuesday, April 2, 2024
This message is intended for U-M IT staff who are responsible for university Linux systems using XZ Utils versions 5.6.0 and 5.6.1. This may also be of interest to individuals using the above on personal computers.
Summary
Malicious code in XZ Utils versions 5.6.0 and 5.6.1 creates backdoor access via SSH in some Linux distributions. Note that:
- Most of the affected distributions are beta releases.
- Systems are only vulnerable if they accept inbound SSH connections.
Those using or managing systems with affected versions of XZ Utils should assume that this vulnerability is being or will be exploited by its creators, and should take action to remediate this vulnerability.
Problem
Malicious code in the compression library XZ Utils deployed to some Linux distributions can create a backdoor via compromised SSH connections for threat actors to access affected systems.
Affected Systems
Linux distributions using XZ Utils versions 5.6.0 and 5.6.1 are affected.
MacOS Homebrew users: MacOS Homebrew is being forcibly downgraded from 5.6.x versions to 5.4.6 as a precaution.
Action Items
Maintainers of your linux distribution will have distribution-specific guidance on how to remediate this vulnerability. Follow vendor directions to replace XZ Utils with an unaffected version.
All users of affected systems that accept inbound SSH connections should look for possible signs of compromise on those systems, focussing on the timeframe in which the vulnerable versions of XZ Utils were installed. Refer to Checking Systems for Signs of Compromise for guidance on checking your system(s).
The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21). Those using or managing affected systems should take action to remediate this vulnerability as soon as possible.
Technical Details
Malicious code in the compression library XZ Utils, deployed to some Linux distributions, can create a backdoor for threat actors to access affected systems. The malicious code interferes with authentication in sshd via systemd. In some cases this can allow a threat actor to break sshd authentication and gain unauthorized remote access to the system.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- Urgent security alert for Fedora Linux 40 and Fedora Rawhide users (3-30-2024, Red Hat)
- A Vulnerability in XZ Utils Could Allow for Remote Code Execution (3-29-2024, Center for Internet Security)
- Backdoor found in widely used Linux utility targets encrypted SSH connections (3-29-2024, Ars Technica)
- Frequently Asked Questions About CVE-2024-3094, A Backdoor in XZ Utils (3-29-2024, Tenable)
- Malicious SSH backdoor sneaks into xz, Linux world's data compression library (3-29-2024, The Register)
- Risky Biz News: Supply chain attack in Linuxland (4-1-2024, Risky Biz)
- Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094) (3-31-2024, Help Net Security)