Backdoor Found in Widely Used Linux Utility xz Utils, Breaking Encrypted SSH Connections

Unknown, Unknown United States of America
A backdoor has been found in widely used Linux utility xz Utils that breaks encrypted SSH connections. The malicious code was introduced into versions 5.6.0 and 5.6.1 of the compression tool, which is included in most Linux distributions including Red Hat and Debian.
Backdoor Found in Widely Used Linux Utility xz Utils, Breaking Encrypted SSH Connections

A backdoor has been found in widely used Linux utility xz Utils that breaks encrypted SSH connections. The malicious code was introduced into versions 5.6.0 and 5.6.1 of the compression tool, which is included in most Linux distributions including Red Hat and Debian.



Confidence

70%

Doubts
  • It is not clear if the backdoor was intentionally introduced or discovered by accident.

Sources

78%

  • Unique Points
    • Malicious code planted in xz Utils has been circulating for more than a month. The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1.
    • Researchers have found a backdoor in widely used Linux distributions including Red Hat and Debian.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (80%)
    The article reports on a backdoor found in the widely used Linux utility xz Utils. The malicious code was introduced into versions 5.6.0 and 5.6.1 of the utility, which were incorporated into major Linux distributions such as Red Hat and Debian's beta releases, including Fedora Rawhide and Debian testing unstable distributions like Arch Linux that are not used in production systems.
    • The malicious code was introduced into versions 5.6.0 and 5.6.1 of the utility
    • Several people reported that multiple apps included in HomeBrew package manager for macOS rely on the backdoored version of xz Utils.
  • Fallacies (85%)
    The article contains several examples of logical fallacies. The author uses an appeal to authority by citing the opinions of security experts without providing any evidence or context for their claims. Additionally, the author relies on a false dilemma when stating that there are only two options: either the backdoor was discovered early due to bad actor sloppiness or it would have been catastrophic if not discovered. The article also contains inflammatory rhetoric by describing the malicious code as
    • The author uses an appeal to authority when citing security experts without providing any evidence or context for their claims.
    • <https://arstechnica.com/security/2024/03/>
    • <https://arstechnica.com/>
  • Bias (85%)
    The article reports on a backdoor found in widely used Linux utility that breaks encrypted SSH connections. The author mentions the presence of malicious code planted in xz Utils and how it was discovered by Andres Freund. They also mention that several people reported using HomeBrew, which relies on the backdoored 5.6.1 version of xz Utils, but have since rolled back to a safer version.
    • Malicious code planted in xz Utils
      • Several people reported using HomeBrew and being affected by the malicious code
        • The presence of obfuscated code introduced on February 23 that added an install script injected into functions used by sshd, the binary file that makes SSH work
        • Site Conflicts Of Interest (50%)
          Dan Goodin has a conflict of interest on the topic of Supply Chain Attack as he is an author for Ars Technica which covers this topic. He also has a financial tie to Red Hat and Debian as they are companies that provide Linux distributions.
          • .SSH authentication breakage
            • .valgrind issue Valgrind malfunctioned due to the backdoor added by JiaT75, one of the main xz Utils developers with years of contributions to the project
            • Author Conflicts Of Interest (50%)
              The author has a conflict of interest on the topic of supply chain attacks as they have contributed to xz Utils which was found to contain a backdoor. The article also mentions that JiaT75, one of the main developers with years of contributions to the project, added this backdoor.
              • The article also mentions that Red Hat and Debian are vulnerable due to supply chain attacks.
                • The article mentions that JiaT75, one of the main xz Utils developers with years of contributions to the project, added a backdoor.

                72%

                • Unique Points
                  • Red Hat released an urgent security alert warning users of malicious code embedded in certain versions of XZ Utils.
                  • Fedora Linux distribution versions may be impacted by the malicious code.
                • Accuracy
                  • Malicious code planted in xz Utils has been circulating for more than a month. The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1.
                • Deception (50%)
                  The article is deceptive in several ways. Firstly, it states that Red Hat released an 'urgent security alert' warning users of malicious code embedded in certain versions of XZ Utils. However, the article does not provide any evidence to support this claim and only mentions that Red Hat has warned customers to stop using Fedora Rawhide instances for work or personal activity. Secondly, the article states that CVE-2024-3094 is embedded in XZ Utils versions 5.6.0 and 5.6.1, which may allow unauthorized access to impacted systems. However, this statement is not supported by any evidence provided in the article and it's possible that CVE-2024-3094 does not exist or has been fixed already.
                  • The article states that Red Hat released an 'urgent security alert', but there is no evidence to support this claim.
                  • The article mentions CVE-2024-3094, but it's possible that it does not exist or has been fixed already.
                • Fallacies (85%)
                  The article contains several fallacies. The author uses an appeal to authority by citing Red Hat and CISA as sources of information. This is a form of informal fallacy because the credibility of these organizations is not necessarily established or relevant to the topic at hand. Additionally, the author uses inflammatory rhetoric when describing the potential consequences of using malicious code in XZ Utils, such as allowing unauthorized access to entire systems. This is a form of informal fallacy because it exaggerates and sensationalizes the issue without providing evidence or context for its severity. The article also contains an example of a dichotomous depiction when describing the impact on Fedora Linux 40 users, stating that they may have received version 5.6.0 but not been compromised by it.
                  • Red Hat said on Friday released an “urgent security alert” warning users of malicious code embedded in certain versions of XZ Utils, a popular set of data compression software tools.
                • Bias (85%)
                  The article contains a statement from Red Hat that certain versions of XZ Utils have malicious code embedded in them. This is an example of monetary bias as it implies that the company has financial interests at stake and wants to protect its customers. Additionally, there are statements about how this could potentially allow remote access to systems which may be used for nefarious purposes.
                  • Red Hat said on Friday released an “urgent security alert” warning users of malicious code embedded in certain versions of XZ Utils, a popular set of data compression software tools. Certain Fedora Linux distribution versions may be impacted,
                  • Site Conflicts Of Interest (50%)
                    None Found At Time Of Publication
                  • Author Conflicts Of Interest (50%)
                    None Found At Time Of Publication

                  78%

                  • Unique Points
                    • A vulnerability (CVE-2024-3094) in XZ Utils, the XZ format compression utilities included in most Linux distributions,
                  • Accuracy
                    • A vulnerability (CVE-2024-3094) in XZ Utils may enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.
                    • Malicious code planted in xz Utils has been circulating for more than a month. The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1.
                  • Deception (90%)
                    The article is deceptive in several ways. Firstly, it states that the vulnerability (CVE-2024-3094) may enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely. However, this statement is not entirely accurate as it implies that any version of XZ Utils with CVE-2024-3094 would allow for such an attack. In reality, only versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) are affected by the vulnerability.
                    • The article states that Red Hat has urged users of Fedora Rawhide to immediately stop using it, but this is not entirely accurate as no versions of Red Hat Enterprise Linux (RHEL) are affected.
                    • The article states that CVE-2024-3094 may enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely, but this is not entirely accurate. Only versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) are affected by the vulnerability.
                  • Fallacies (80%)
                    None Found At Time Of Publication
                  • Bias (85%)
                    The article reports on a vulnerability in XZ Utilities that may allow a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely. The cause of the vulnerability is malicious code present in versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) of the xz libraries, which was accidentally found by Andres Freund, a PostgreSQL developer and software engineer at Microsoft.
                    • About CVE-2024-3094 According to Red Hat, the malicious injection in the vulnerable versions of the libraries is obfuscated and only included in full in the download package.
                      • The cause of the vulnerability is actually malicious code present in versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) of the xz libraries, which was accidentally found by Andres Freund.
                      • Site Conflicts Of Interest (50%)
                        None Found At Time Of Publication
                      • Author Conflicts Of Interest (50%)
                        The author has a conflict of interest on the topic of XZ Utilities as they have reported that it was backdoored and malicious code interferes with sshd authentication via systemd. The article also mentions Red Hat Enterprise Linux (RHEL) which is a product from Microsoft, who may be biased towards their own products.
                        • The resulting malicious build interferes with authentication in sshd via systemd.

                        76%

                        • Unique Points
                          • Red Hat is warning that a vulnerability in XZ Utils, the XZ format compression utility included in many Linux distributions is a backdoor. Users should either downgrade the utility to a safer version or disable ssh entirely so that the backdoor cannot be exploited.
                          • The code injection vulnerability (CVE-2024-3094), injects code into the authentication process that allows malicious actor to gain remote access to the system. The flaw has been assigned a CVSS score of 10.0 and is present in xz versions 5.6.1 and earlier.
                          • The US Cybersecurity and Infrastructure Security Agency (CISA) advised developers and users to downgrade XZ Utils to an earlier, uncompromised version, such as XZ Utils 5.4.6 Stable.
                        • Accuracy
                          • The problematic code is in the newer versions of xz/liblzma so it may not be as widely deployed and impacted distributions that have not yet released these versions are less likely to be affected.
                        • Deception (50%)
                          The article is deceptive in several ways. Firstly, the author claims that XZ Utils has a backdoor when there is no evidence to support this claim. Secondly, the author states that Red Hat has reverted its xz version to 5.4.x and given the all-clear without providing any information on what was done or why it was necessary for them to do so.
                          • The article claims that XZ Utils has a backdoor, but there is no evidence provided to support this claim.
                        • Fallacies (85%)
                          None Found At Time Of Publication
                        • Bias (85%)
                          The article contains a statement from the author that implies bias. The author states 'Red Hat is warning that a vulnerability in XZ Utils, the XZ format compression utility included in many Linux distributions is a backdoor.' This statement suggests an opinion on whether or not the vulnerability should be considered as such and could potentially influence readers to view it differently.
                          • The code injection vulnerability (CVE-2024-3094), injects code into the authentication process that allows malicious actor to gain remote access to the system.
                          • Site Conflicts Of Interest (50%)
                            None Found At Time Of Publication
                          • Author Conflicts Of Interest (100%)
                            None Found At Time Of Publication