Red Hat Warns of Malware Embedded in Popular Linux Tool, Opening Doors for Unauthorized Access
Red Hat has issued an urgent security alert concerning a highly sophisticated supply chain attack that compromised recent versions of the widely-used xz compression utility.
Cybersecurity researchers identified malicious code inserted into the xz libraries (versions 5.6.0 and 5.6.1). This vulnerability, tracked as CVE-2024-3094, could enable threat actors to gain unauthorized remote access to compromised Linux systems via an SSH bypass.
Technical Analysis of the Exploit
- This flaw affects the core xz and xz-libs compression formats.
- The malicious payload was heavily obfuscated, triggering only during the build process using a specific, hidden M4 macro.
- Standard Git repository source code reviews would not detect the threat because they lack this M4 macro.
- If the malicious M4 macro is present during compilation, it interacts with second-stage artifacts in the repository to create a malicious build that interferes with sshd authentication.
The xz utility is essential for compressing large files across most Linux distributions.
The attack specifically targeted xz versions 5.6.0 and 5.6.1. The malicious code was designed to activate only when the malicious M4 macro was used during the build, hiding its presence in the source code.
During the build process, if the malicious macro is present, it downloads hidden artifacts to assemble the final malicious payload, which then compromises SSH authentication.
This is critical because SSH is the primary protocol for secure remote management of Linux systems. Successful compromise could allow attackers complete, unauthorized remote access.
Scope and Mitigation Strategies
Investigations confirm the impact on Red Hat’s ecosystem, primarily affecting Fedora Rawhide and Fedora 40 Beta users.
While Fedora 40 Beta packages contain the vulnerable libraries, Red Hat believes the attack did not fully succeed in these specific builds.
Importantly, Red Hat Enterprise Linux (RHEL) is confirmed unaffected by this vulnerability.
System administrators must act immediately:
- Halt usage of Fedora Rawhide instances for all activities.
- Downgrade all xz installations to the safe version 5.4.x.
Red Hat has published an update reverting the package for Fedora Linux 40 users through the standard update system. Administrators can manually force this update for faster protection.