Shield your System — XZ Utils Backdoor (Linux Distribution)

Hey Cyberpunks, Ethical Kaps here, I’m back again after a long time, with another powerful article to keep you updated on the latest trends in our cyber world. I hope you all are doing great in your life. Recently, I came across this backdoor, so thought to reshare with my audience.

But as usual, I will break down each jargon for you so you can understand the logic and vulnerability in depth.

A recent discovery has uncovered a vulnerability in #XZUtils, the widely-used open-source xz compression tool found in various Linux distributions.

XZ Utils- It employs the LZMA compression algorithm, which is known for its high compression ratio and excellent performance.

XZ Utils is often utilized for packaging software, archiving files, and reducing file sizes for distribution and for handling large datasets.

Red Hat has issued a cautionary notice regarding this #vulnerability, identifying it as a potential backdoor threat capable of compromising systems.

Its simple to be on a safer side, follow the below and you should be good.

1. Either revert to a safer version of the utility or

2. Disable SSH to prevent exploitation.

The vulnerability, labeled CVE-2024–3094, stems from a code injection flaw in the authentication process, allowing unauthorized access by malicious entities.

Red Hat has emphasized the urgency of the situation, urging users to refrain from using any Fedora Rawhide instances until the xz version is reverted to 5.4.x and deemed secure.

CVSS score - 10.0, highlighting its severity.

Now you must be wandering about #FedoraRawhideInstances. Don’t worry I got you!

Fedora Rawhide is the development branch of the Fedora Linux distribution as simple as that.

It’s where new features and updates are introduced and tested before they are included in stable releases.

Therefore, “Fedora Rawhide instances” refers to systems running Fedora Linux that are using the Rawhide development branch.

I hope this vulnerability makes a little more sense !😅

The affected versions, including xz 5.6.0 (released on Feb. 24) and 5.6.1 (released on March 9), require immediate attention.

To check for system vulnerability, users can use the command:

I am on version 5.2.5. Just noticed it 😂 Not upgrading as of now for sure!

If your output indicates “xz (XZ Utils) 5.6.1” or “liblzma 5.6.1”, immediate action is necessary. You should consider applying updates provided by your distribution, downgrading xz, or temporarily disabling SSH.

Although primarily impacting Linux distributions, there are reports of potential MacOS vulnerability. In such cases, users can run “brew upgrade” to downgrade xz from 5.6.0 to 5.4.6.

#RedHat: Vulnerable packages are identified in Fedora 41 and Fedora Rawhide. Users are advised to refrain from using affected versions until a secure alternative is provided.#SUSE: Updates are available for openSUSE (Tumbleweed or MicroOS).#DebianLinux: While stable versions remain unaffected, compromised packages were present in testing, unstable, and experimental versions. Users should update xz-utils.#KaliLinux: Systems updated between March 26 and March 29 may be at risk and should be updated again to receive the fix. Systems updated before March 26 remain unaffected.

In case you need more information on Payload and Design specifics of this vulnerability. I will recommend to check out thesamesam github repository.

So, this is it for this article. If you enjoyed this story, please click the 👏 button as many time as you want and share to help others find it! Feel free to leave a comment below.