Red Hat Alerts Fedora Users of Critical Vulnerability in XZ Versions

In a significant security advisory released by Red Hat, the company has alerted users of Fedora 41 and Fedora Rawhide about a severe vulnerability in XZ, a widely used compression tool and library. The concern arises from versions 5.6.0 and 5.6.1 of XZ, which have been found to contain malicious code capable of permitting unauthorized remote system access.

The vulnerability, tracked under CVE-2024-3094, involves malicious code that was not apparent in the Git distribution of XZ but was included in the full download package. Specifically, an M4 macro required to trigger the build of the malicious code is absent from the Git distribution but included in the downloadable versions. This obfuscated code, when built, can interfere with the authentication process of sshd through systemd. Given SSH’s prevalence for remote system connections and sshd’s role in facilitating access, this vulnerability could potentially allow a malicious actor to bypass sshd authentication and gain remote access to the system.

This security flaw comes on the heels of the releases of XZ 5.6 and 5.6.1, which debuted one month and three weeks ago, respectively. As of now, there has been no release of XZ 5.6.2 or any version that addresses and removes this malicious code.

The urgency of this security issue has prompted Red Hat to publish a detailed warning on their blog, advising users to check their systems for the vulnerable versions of XZ. Similarly, Debian has issued a security message through their mailing list, emphasizing the gravity of the situation for users across different distributions.

Users and administrators are strongly advised to verify their installations and remove versions 5.6.0 and 5.6.1 of XZ from their systems immediately. Additional insights and information on the vulnerability have been shared by Andres Freund, with further details available on the oss-security list.

Source: Phoronix.