Malicious code discovered in Linux distributions

A backdoor implanted into XZ Utils has found its way into popular Linux distributions.

CVE-2024-3094: malicious code in Linux distributions

Unknown actors have implanted malicious code into versions 5.6.0 and 5.6.1 of the open source compression tools set XZ Utils. To make matters worse, trojanized utilities have managed to find their way into several popular builds of Linux released this March, so this incident could be regarded as a supply-chain attack. This vulnerability has been assigned CVE-2024-3094.

What makes this malicious implant so dangerous?

Initially, various researchers claimed that this backdoor allowed attackers to bypass sshd (the OpenSSH server process) authentication, and remotely gain unauthorized access to the operating system. However, judging by the latest information, this vulnerability shouldn’t be classified as an “authentication bypass”, but as “remote code execution” (RCE). The backdoor intercepts the RSA_public_decrypt function, verifies the host’s signature using the fixed key Ed448 and, if verified successfully, executes malicious code passed by the host via the system() function, leaving no traces in the sshd logs.

Which Linux distributions contain malicious utilities, and which are safe?

It’s known that XZ Utils versions 5.6.0 and 5.6.1 were included in the March builds of the following Linux distributions:

  • Kali Linux, but, according to the official blog, only those that were available between March 26 and March 29 (the blog also contains instructions for checking for vulnerable versions of utilities);
  • openSUSE Tumbleweed and openSUSE MicroOS, available from March 7 to March 28;
  • Fedora 41, Fedora Rawhide, and Fedora Linux 40 beta;
  • Debian (testing, unstable and experimental distributions only);
  • Arch Linux – container images available from February 29 to March 29. However, the website archlinux.org states that, due to its implementation peculiarities, this attack vector won’t work in Arch Linux, but they still strongly recommend updating the system.

According to official information, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise, openSUSE Leap, and Debian Stable are not vulnerable. As for other distributions, it’s advised to check them for the presence of Trojanized versions of XZ Utils manually.

How did the malicious code get to be implanted into the XZ Utils?

Apparently, it was a typical case of control transfer. The person who initially maintained the XZ Libs project on GitHub passed control of the repository to an account that’s been contributing to a number of repositories related to data compression for several years. And at some point, someone behind that other account implanted a backdoor in the project code.

The near-miss epidemic that never happened

According to Igor Kuznetsov, head of our Global Research and Analysis Team (GReAT), exploitation of CVE-2024-3094 could potentially have become the largest scale attack on the Linux ecosystem in its entire history. This is because it was primarily aimed at SSH servers – the main remote-management tool of all Linux servers on the internet. If it had ended up in stable distributions, we’d probably have seen vast numbers of server hacks. However, fortunately, CVE-2024-3094 was noticed in the test and rolling distributions – where the latest software packages are used. That is, most Linux users remained safe. So far we’ve not detected any cases of CVE-2024-3094 actually being exploited.

How to stay safe?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends anyone who installed or updated affected operating systems in March to downgrade XZ Utils to an earlier version (for example, version 5.4.6) immediately. And also to start searching for malicious activity.

If you’ve installed a distribution with a vulnerable version of XZ Utils, it also makes sense to change all credentials that could potentially be stolen from the system by the threat actors.

You can detect the presence of a vulnerability using the Yara rule for CVE-2024-3094.

If you suspect that a threat actor may have gained access to your company’s infrastructure, we recommend using the Kaspersky Compromise Assessment service to uncover any past or ongoing attacks.

Tips