Red Hat Exec: Linux Supply Chain Hack Was Caught Quickly

The insertion of a backdoor into code used by most Linux distributions was discovered and fixed ‘before it posed a significant risk to the broader Linux community,’ says Red Hat’s Vincent Danen.

The insertion of a backdoor into code used by most Linux distributions was discovered and fixed quickly, which should limit the impact of the supply chain hack, according to a Red Hat executive.

Red Hat and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Friday that the two latest versions of XZ Utils, a widely used set of data compression tools and libraries in Linux distributions, were found to have been compromised.

In response to questions from CRN, Red Hat confirmed that the affected software had not been widely utilized in Linux distributions, however. The exceptions are the Linux distributions that typically bring in new packages as soon as they are available, such as Fedora Rawhide and Debian unstable, which have been impacted by the hack.

The implanted code is found in versions 5.6.0 and 5.6.1 of the XZ Utils libraries, according to IBM-owned Red Hat. The libraries “contain malicious code that appears to be intended to allow unauthorized access,” Red Hat said in an advisory.

In a comment provided to CRN, Red Hat’s Vincent Danen (pictured) indicated that the worst potential outcomes from the compromise would seem to have been averted.

“Red Hat, along with CISA and other Linux distributions, were able to identify, assess and help remediate this potential threat before it posed a significant risk to the broader Linux community,” said Danen, vice president of Red Hat product security.

Ultimately, “the malicious code found in the latest versions of the xz libraries show just how critical it is to have a vigilant and veteran Linux security team monitoring software supply chain channels,” he said.

A Microsoft engineer, Andres Freund, said in a post Friday that he discovered the vulnerability after noticing “odd” behavior in installations of Debian, a popular Linux distribution.

However, Freund noted that the compromised versions of XZ Utils “have not yet widely been integrated by linux distributions, and where they have, mostly in pre-release versions.”

While Red Hat noted that while XZ Utils is “present in nearly every Linux distribution,” the affected versions — 5.6.0 and 5.6.1 — were only released Feb. 24 and March 9, respectively.

Red Hat said in its advisory Friday that users of the Fedora Rawhide distribution of Linux should “immediately stop” all usage. “Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed,” the company said.

“Under the right circumstances this interference could potentially enable a malicious actor to break [Secure Shell Daemon] authentication and gain unauthorized access to the entire system remotely,” Red Hat wrote.

“No versions of Red Hat Enterprise Linux (RHEL) are affected,” the company added.

Supply chain compromises include some of the most widely felt cyberattacks to date, including the SolarWinds supply chain attack of 2020 and Kaseya VSA attack of 2021. More recently, communications software maker 3CX suffered a supply chain compromise in March 2023.

In its advisory, CISA said it “recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA.”

The vulnerability that was inserted through the apparent supply chain hack is being tracked at CVE-2024-3094.