Red Hat has issued an “urgent security alert” warning of an attack detected in two versions of the popular XZ Utils data compression library (formerly known as LZMA Utils).

Attack details CVE-2024-3094

The attack, identified as CVE-2024-3094, has been given the highest possible CVSS score of 10.0. Indicating a threat of maximum severity. The Common Vulnerability Scoring System (CVSS) is used to assess the severity and security risk to the system using a scale of 0 to 10. The affected versions are 5.6.0 (released on February 24th) and 5.6.1 (released on March 9th) of XZ Utils.

Impact and recommended action

According to statements by the IBM subsidiary. The liblzma compilation process extracts a file of pre-compiled objects from a test file camouflaged in the source code. Thus allowing modification of specific functions in the liblzma code. This results in a modified library that can be used by any software linked to it. Making it easier to intercept and modify data interaction with that library.

Specifically, the malicious code seeks to interfere with the sshd daemon process for SSH (Secure Shell) through the systemd software suite. Potentially allowing an attacker to break sshd authentication and gain unauthorised access to the system remotely.

Origin and response

Microsoft security researcher Andres Freund has been credited with discovering and reporting the issue. The malicious code was introduced by a user named Jia Tan (JiaT75) in a series of inputs to the Tukaani project on GitHub. In response, GitHub has disabled the Tukaani Project’s XZ Utils repository due to a violation of its terms of service.

Although there are no reports of active exploitation in the wild. Fedora Linux 40 users are advised to upgrade to version 5.4 of XZ Utils. Other affected distributions include Arch Linux, Kali Linux, openSUSE Tumbleweed and MicroOS, as well as all versions of Debian categorised as test, unstable or experimental.

As a precaution, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert. Urging users to downgrade XZ Utils to a non-compromised version (e.g. XZ Utils 5.4.6 Stable).

This incident highlights the importance of security in the software supply chain and underscores the need for continued vigilance by the cyber security community.

Read also: LockBit Locked Down