Backdoor Discovered in XZ Utils: A Warning for Linux Distributions

In a recent development, a malicious backdoor has been found in the widely used XZ Utils, a compression tool that has made its way into various Linux distributions, including those from Red Hat and Debian. Let’s delve into the details of this security concern.

The Backdoor Unveiled

The backdoor was introduced in versions 5.6.0 and 5.6.1 of the XZ libraries. Although these versions have not yet been widely integrated into production Linux distributions, they were present in recently published beta releases. Notably, Fedora 40, Fedora Rawhide, Debian testing, unstable, and experimental distributions were affected. Even Arch Linux, although not used in production systems, was impacted.

Linux
Linux

How the Backdoor Operates

The malicious code resides in the archived releases (tarballs) of XZ Utils. It injects itself into functions used by sshd, the binary responsible for SSH authentication. While the Git distribution lacks the M4 macro that triggers the build of the malicious code, second-stage artifacts in the Git repository allow the injection during build time. The backdoor interferes with SSH authentication via systemd.

The Source of the Backdoor

The changes containing the backdoor were submitted by JiaT75, one of the main XZ Utils developers. The activity over several weeks suggests either direct involvement or a severe compromise of their system. Fortunately, the backdoored versions have not yet been widely integrated into production Linux distributions.

Impact and Recommendations

  • Fedora 41 and Fedora Rawhide users are urged to immediately stop using these distributions.
  • Red Hat Enterprise Linux (RHEL) versions are not affected.
  • SUSE has released a fix for openSUSE users.
  • Debian stable versions remain unaffected, but compromised packages were part of testing, unstable, and experimental distributions.

Conclusion

While the discovery of the backdoor was timely, it underscores the critical importance of vigilant Linux security teams monitoring software supply chain channels. Let us remain vigilant and proactive in safeguarding our systems.

Leave a Reply

Your email address will not be published. Required fields are marked *