CISA, Red Hat Warn About Supply Chain Compromise Affecting Linux Distributions

A backdoor has been implanted in the two latest versions of XZ Utils — a set of data compression software tools and libraries ‘present in nearly every Linux distribution,’ according to Red Hat.

Red Hat and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Friday about a supply chain compromise of XZ Utils software affecting Linux distributions.

The two latest versions of XZ Utils, a set of widely data compression software tools and libraries, “contain malicious code that appears to be intended to allow unauthorized access,” Red Hat said in an advisory.

[Related: ‘First’ Cyberattack Of Its Kind: 3CX Compromise Blamed On Earlier Supply Chain Breach]

The implanted code is found in versions 5.6.0 and 5.6.1 of the XZ Utils libraries, according to IBM-owned Red Hat.

XZ Utils is “present in nearly every Linux distribution,” Red Hat said.

Users of Fedora Linux 40 “may have received version 5.6.0, depending on the timing of system updates,” Red Hat said, while Fedora Rawhide users “may have received version 5.6.0 or 5.6.1.”

“PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity,” Red Hat said in the post. “Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed.”

“Under the right circumstances this interference could potentially enable a malicious actor to break [Secure Shell Daemon] authentication and gain unauthorized access to the entire system remotely,” Red Hat wrote.

“No versions of Red Hat Enterprise Linux (RHEL) are affected,” the company said.

In its advisory, CISA noted that XZ Utils “may be present in Linux distributions” and that “the malicious code may allow unauthorized access to affected systems.”

“CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA,” the agency said.

The vulnerability that was inserted through the apparent supply chain hack is being tracked at CVE-2024-3094.

Supply chain compromises include some of the most widely felt cyberattacks to date, including the SolarWinds supply chain attack of 2020 and Kaseya VSA attack of 2021. More recently, communications software maker 3CX suffered a supply chain compromise in March 2023.