A backdoor was discovered in the Linux xz library in versions 5.6.0 and 5.6.1. Its use appears to allow bypassing of SSH authentication.
Publisher security advisories:
Red hat: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Debian: https://lists.debian.org/debian-security-announce/2024/msg00057.html
Our Analysis of the situation
XZ Utils is an open source suite of tools for the XZ compression format, known for its high compression ratios and support for multiple algorithms, including LZMA2.
On 29 March, a Microsoft researcher, Andres Freund, opportunistically discovered a backdoor in xz/liblzma versions 5.6.0 and 5.6.1.
Several Linux distributions affected, including: Kali Linux (between March 26 and 29), openSUSE (between March 7 and 28), and even certain versions of Debian (from 5.5.1alpha-0.1 to 5.6.1-1), among others
Initial analyses indicate that only Linux x86/x64 machines are affected).
This backdoor allows SSH authentication to be bypassed, granting unauthorised access to machines, particularly when SSH is running via SystemD and exposed.
You can use the following script to detect the presence of this backdoor: https://lnkd.in/ePb3hBEH
But a YARA rule is also available: https://lnkd.in/e6-Scy5V
According to initial analyses, the approaches suggest a "state-sponsored/APT" attack, given the sophistication and the fact that the perpetrator has been involved in the project for over 2 years.
This case highlights the risks associated with supply chains and the use of open source libraries without adequate verification measures, as well as a vulnerability on GitHub regarding username spoofing.
The primary countermeasure is to downgrade to unaffected versions and to follow the advisory recommendations from your distribution.
We also advise you to change your SSH keys as a precautionary measure.
For an in-depth technical analysis, we recommend a CISA report: https://lnkd.in/ez-aiE9w
The XZ backdoor is merely the tip of the iceberg, underscoring the need for constant vigilance against risks related to open source libraries and dependencies: Pippy, NPM, and GO registries.