In a recent security announcement, Red Hat’s Information Risk and Security and Product Security teams have identified a critical vulnerability in the latest versions of the “xz” compression tools and libraries. The affected versions, 5.6.0 and 5.6.1, contain malicious code that could potentially allow unauthorized access to systems. Fedora Linux 40 users and those using Fedora Rawhide, the development distribution for future Fedora builds, are at risk.
The vulnerability, designated CVE-2024-3094, impacts users who have updated to the compromised versions of the xz libraries. Red Hat urges all Fedora Rawhide users to immediately cease using the distribution for both work and personal activities until the issue is resolved. Plans are underway to revert Fedora Rawhide to the safer xz-5.4.x version, after which it will be safe to redeploy Fedora Rawhide instances.
Although Fedora Linux 40 builds have not been confirmed to be compromised, Red Hat advises users to downgrade to a 5.4 build as a precautionary measure. An update reverting xz to 5.4.x has been released and is being distributed to Fedora Linux 40 users through the normal update system. Users can expedite the update by following instructions provided by Red Hat.
The malicious code found in the affected xz versions is obfuscated and targets the authentication process in sshd via systemd. This could potentially allow a malicious actor to bypass sshd authentication and gain unauthorized remote access to the system. The code is only fully present in the download package, with the Git distribution lacking the M4 macro that triggers the malicious code build.
Investigations indicate that the malicious packages are present only in Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. No versions of Red Hat Enterprise Linux (RHEL) are affected. However, the injections have been successfully built in xz 5.6.x versions for Debian unstable (Sid), and other distributions may also be at risk.
Users of affected distributions are advised to stop using Fedora 41 or Fedora Rawhide immediately and consult with their information security teams for further guidance. Red Hat is actively working to address the issue and ensure the security of its users.