Security News > 2024 > March > Red Hat warns of backdoor in XZ tools used by most Linux distros
Today, Red Hat warned users to immediately stop using systems running Fedora development versions because of a backdoor found in the latest XZ Utils data compression tools and libraries.
"No versions of Red Hat Enterprise Linux are affected. We have reports and evidence of the injections successfully building in xz 5.6.x versions built for Debian unstable."
Red Hat is now tracking this supply chain security vulnerability as CVE-2024-3094, assigned it a 10/10 critical severity score, and reverted to 5.4.x versions of XZ in Fedora 40 beta.
"The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access," Red Hat said.
Exploits released for Linux flaw giving root on major distros.
New 'Looney Tunables' Linux bug gives root on major distros.
News URL
Related news
- Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094) (source)
- Malicious SSH backdoor sneaks into xz, Linux world's data compression library (source)
- Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros (source)
- XZ Utils backdoor update: Which Linux distros are affected and what can you do? (source)
- New XZ backdoor scanner detects implant in any Linux binary (source)
- XZ Utils backdoor: Detection tools, scripts, rules (source)
- XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor (source)
- Week in review: Backdoor found in XZ utilities, weaponized iMessages, Exchange servers at risk (source)
- Malicious xz backdoor reveals fragility of open source (source)
- Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-03-29 | CVE-2024-3094 | Embedded Malicious Code vulnerability in Tukaani XZ 5.6.0/5.6.1 Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. | 10.0 |