SSH Library Compromised: Malicious Backdoor Discovered
— Sam Jacob Dec, 2, 2023
Malicious backdoor found in SSH libraries
On March 29th, it was reported that malicious code enabling unauthorized remote SSH access has been detected within XZ Utils, a widely used package present in major Linux distributions (The GitHub project originally hosted here is now suspended).
Andres Freund, a principal software engineer at Microsoft, discovered the backdoor and reported it to Linux distributor Openwall on Friday morning.
Vulnerability Details:
The backdoor is found on liblzma, a package within XZ library that does lot of compression on the internet as part of OpenSSH. Malicious code hidden in the utility package creates a critical supply chain threat that potentially exposes SSH services to unauthorized access.
Malicious .m4 files added to the xz tarballs in version 5.6.0, which was released on Feb. 24, contained automake instructions for building the compression library liblzma that modified its functions to allow for unauthorized access.
These changes to liblzma can lead to sshd compromise due to many Linux distros incorporating libsystemd, which enables systemd notifications and is dependent on liblzma, into their OpenSSH implementations.
The added .m4 cmfiles were heavily obfuscated, apparently to hide their malicious function, and were added by a user who has been an active contributor to the xz project for two years.
CVE: The U.S. Cybersecurity & Infrastructure Security Agency (CISA) released an alert about the issue, which is tracked as CVE-2024-3094 and has a maximum CVSS score of 10, warning developers and users to downgrade xz to a safe version such as version 5.4.6 stable.
Who is affected by CVE-2024-3094?
Fortunately, the malicious code was discovered quickly and managed to infect only two of the most recent versions of the package, 5.6.0 and 5.6.1, which were released within the past month. Stable versions of most Linux distributions were not affected.
Fortunatley, XZ 5.6.0 and 5.6.1 have not yet been widely integrated by Linux distributions, and where they have, they are mostly in pre-release versions.”
The following distributions were affected by the attack –
Recommendations:
Check if your version of “xz” is one of the affected versions. Note that it is recommended to continuously scan your codebase to detect such vulnerabilities in open-source and third-party libraries.
Immediately downgrade your version of xz to an earlier version (5.4.6 is the latest unaffected version in most distributions).
- Red Hat published an urgent security alert Friday, warning users to immediately stop using any instances of Fedora Rawhide due to a potential compromise through xz. The alert also recommends users downgrade Fedora Linux 40 to a version that uses XZ 5.4, although Red Hat reports that no Fedora Linux 40 builds have been shown to be compromised. Red Hat Enterprise Linux is not affected by any version.
- Freund discovered the backdoor while testing the latest unstable distribution of Debian, and Debian’s security advisory confirms the compromised utility was included in its testing, unstable and experimental distributions. The advisory states the package has been reverted to version 5.4.5 and urges users to apply the update.