A Call to Secure Linux Distributions - Supply chain backdoor: CVE-2024-3094

In a recent alarming discovery, malicious code has been unearthed within the XZ Utils repository, posing a grave threat to Linux distributions. Discovered on March 29th, 2024 by Andres Freund and posted on Openwall, after observing abnormal behavior within the liblzma component, the revelation has sent shockwaves through the open-source community.

Initially thought to be a compromise of Debian's packages, further investigation revealed that the malicious code originated upstream, affecting the xz tarballs directly. The compromised release tarballs, including versions 5.6.0 and 5.6.1, endangering the security of systems relying on them.

The backdoor manifests in various symptoms, including heightened CPU usage during SSH logins and Valgrind errors, observed on Debian sid installations. This discovery underscores the severity of the threat and the urgent need for remedial action.

After enumerating multiple Kali boxes for signs of compromise nothing has been observed in the wild at this time. In an abundance of caution all Kali, Red Hat , and Fedora boxes have been reverted or shut down. 

Mitigation Measures

To address this critical security breach, immediate action is imperative. Users are strongly advised to revert to secure versions of xz-utils, version 5.4.6, which rectifies the vulnerabilities introduced by the malicious code. The remediated version is currently not accessible from the official XZ Utils GitHub repositor due to the massive volume.

Additional Sources:

Tenable blog: Provides an FAQ on the CVE

CISA Alert: Cybersecurity advisory on the vulnerability

arstechnica: further details on the backdoor

Securing Tomorrow,

A thing showing CTA