Security operations · 1 MIN READ · AARON WALTON · MAR 29, 2024 · TAGS: Alert / MDR / Vulnerability
Researchers identified a backdoor into the XZ Linux utility, via supply chain compromise. Here’s what you need to know.
This post was updated on April 1 to include some additional analysis and information.
What happened?
On March 29, 2024, researchers identified a backdoor in the XZ Linux utility, that if exploited, it would open the door for threat actors to gain unauthorized access to critical systems. The malicious code is present in versions 5.6.0 and 5.6.1 of the XZ libraries. Due to being caught at an early stage of deployment, the backdoor wasn’t introduced to many Linux distributions. According to public reporting, the following x86-64 distributions were impacted:
- Red Hat Fedora 41 and Red Hat RawHide
- Kali Linux (distributions released between March 26 and 29)
- openSUSE Tumbleweed and openSUSE MicroOS
- Arch Linux images created between February 24 and March 28
- Debian testing, unstable, and experimental versions
A maintainer introduced the malicious code. It’s unclear if the maintainer’s account was compromised or if the maintainer made the changes purposely.
If you have these impacted distributions in your environment that use XZ 5.6.0 and 5.6.1, read on and take the recommended actions. Please note that Expel and our assemblers ARE NOT impacted.
Why does it matter?
The backdoor allows an actor with the Public Key to access and run commands as the root user. As the root user, the attacker would be able to run commands with the highest possible privileges.
At this time, we don’t understand the intent of the attacker, but it can’t be anything good.
What should you do right now?
First, identify hosts running XZ version 5.6.0 or 5.6.1, and downgrade to version 5.4.6 or earlier. There are no mitigations other than replacing the malicious binary. Downgrading to an early version will remove the backdoor.
Next, contact your security and development teams to validate that only the unaffected versions of XZ are being used in your environment. It’s important that the compromised distributions aren’t distributed any further in the environment.
What next?
We’re keeping a close eye on this situation as it unfolds. Since a maintainer introduced this malicious code, researchers are digging into other parts of the project that maintainer may have been involved with.
We’ll update this post with any big developments, but watch for ongoing updates from CISA, keep an eye on our socials (@ExpelSecurity) for any important updates and recommendations, and of course, get in touch with us if you have questions or concerns.
