Red Hat Issues Security Alert for Backdoored XZ Utils Versions with CVSS Score of 10.0

United States of America
Given that there are currently no reports of active exploitation in the wild, it is recommended that Fedora Linux 40 users downgrade to a 5.4 build as an abundance of caution.
Red Hat issued a security alert for two versions of XZ Utils (previously LZMA Utils) that have been backdoored with malicious code designed to allow unauthorized remote access. The software supply chain compromise, tracked as CVE-2024-3094, impacts XZ Utils versions 5.6.0 and 5.6.1 and has a CVSS score of 10.0 indicating maximum severity.
The nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH via systemd software suite, potentially enabling a threat actor to break sshd authentication and gain unauthorized access to the system remotely under certain circumstances. The backdoor was intentionally planted in xz Utils by an unknown person or group.
Red Hat Issues Security Alert for Backdoored XZ Utils Versions with CVSS Score of 10.0

A recent security alert has been issued by Red Hat regarding two versions of XZ Utils (previously LZMA Utils) that have been backdoored with malicious code designed to allow unauthorized remote access. The software supply chain compromise, tracked as CVE-2024-3094, impacts XZ Utils versions 5.6.0 and 5.6.1 and has a CVSS score of 10.0 indicating maximum severity.

The nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH via systemd software suite, potentially enabling a threat actor to break sshd authentication and gain unauthorized access to the system remotely under certain circumstances. The backdoor was intentionally planted in xz Utils by an unknown person or group.

Given that there are currently no reports of active exploitation in the wild, it is recommended that Fedora Linux 40 users downgrade to a 5.4 build as an abundance of caution.

The discovery was made entirely by accident when Microsoft developer Andres Freund noticed high CPU usage by an SSH process on his Debian system and began investigating further.



Confidence

90%

Doubts
  • It is not clear if the backdoor was intentionally planted in xz Utils by an unknown person or group, or if it was discovered accidentally.

Sources

83%

  • Unique Points
    • xz Utils is a data compression utility available on almost all installations of Linux and other Unix-like operating systems.
    • The backdoor was intentionally planted in xz Utils by an unknown person or group.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (85%)
    The article contains several fallacies. The author uses an appeal to authority by citing the opinions of software engineer Filippo Valsorda and developer Andres Freund without providing any evidence or context for their expertise in this matter.
    • > Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream. <
    • > This might be the best executed supply chain attack we’ve seen described in the open, and it’s a nightmare scenario: malicious, competent, authorized upstream in a widely used library.<
  • Bias (85%)
    The article contains examples of religious bias and ideological bias. The author uses language that depicts one side as extreme or unreasonable.
    • Andres Freund, a developer and engineer working on Microsoft's PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH.
      • < Enlarge / Malware Detected Warning Screen with abstract binary code 3d digital concept Getty Images
        • > Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream.
          • < On Friday, researchers revealed the discovery of a backdoor that was intentionally planted in xz Utils.
            • What is xz Utils?
              • xz Utils provides critical functions for compressing and decompressing data during all kinds of operations.
              • Site Conflicts Of Interest (50%)
                The article discusses a backdoor in the xz Utils library that was almost used to infect the world. The author has financial ties with a company that provides security services related to this topic.
                • .malicious updates made to a ubiquitous tool were a few weeks away from going mainstream.
                  • .xz Utils critical functions for compressing and decompressing data during all kinds of operations
                  • Author Conflicts Of Interest (50%)
                    The author has multiple conflicts of interest on the topics provided. The article discusses malware updates and supply chain attacks which could be influenced by financial ties with companies in those industries. Additionally, the article mentions a widely used library and its competent upstream which could lead to personal relationships or professional affiliations with developers in that community.
                    • The article discusses supply chain attacks which could be influenced by financial ties with companies in those industries.
                      • The author mentions 'a widely used library' and its 'competent, authorized upstream'. This could suggest personal relationships or professional affiliations with developers in that community.
                        • The author mentions 'malicious updates made to a ubiquitous tool were a few weeks away from going mainstream.' This suggests financial ties with companies in the software industry.

                        72%

                        • Unique Points
                          • An urgent Linux backdoor was discovered entirely by accident this week.
                          • ⁠Red Hat warned that recent versions of Fedora operating systems contained malicious code for backdoor access.⁠
                          • ebian issued a similar warning.
                          • Microsoft developer Andres Freund notified the Linux security Openwall Project after stumbling on the exploit Freund said discovering it really required a lot of coincidences, starting with him probing curiously high CPU usage by an SSH process.
                          • “xz Utils is a data compression utility available on almost all installations of Linux and other Unix-like operating systems. The backdoor was intentionally planted in xz Utils by an unknown person or group. Researchers have spent the weekend gathering clues about the incident.
                        • Accuracy
                          • Red Hat warned that recent versions of Fedora operating systems contained malicious code for backdoor access.
                          • Debian issued a similar warning.
                          • `Freund said discovering it really required a lot of coincidences, starting with him probing curiously high CPU usage by an SSH process.b
                          • xz Utils is a data compression utility available on almost all installations of Linux and other Unix-like operating systems.
                          • bThe backdoor was intentionally planted in xz Utils by an unknown person or group.
                          • bResearchers have spent the weekend gathering clues about the incident.
                        • Deception (50%)
                          The article is deceptive in several ways. Firstly, the title claims that the backdoor was discovered entirely by accident which is not true as Freund intentionally searched for high CPU usage by an SSH process. Secondly, the author implies that Red Hat and Debian were responsible for discovering and warning about the malicious code when it was actually Microsoft developer Andres Freund who found it. Lastly, there are no sources disclosed in this article.
                          • The title claims that the backdoor was discovered entirely by accident which is not true as Freund intentionally searched for high CPU usage by an SSH process.
                        • Fallacies (85%)
                          The article contains an appeal to authority fallacy by citing the warnings issued by Red Hat and Debian. The author also uses inflammatory rhetoric when describing the backdoor as 'urgent' and 'malicious'. Additionally, there is a dichotomous depiction of Microsoft developer Andres Freund who discovered the exploit.
                          • Red Hat urgently warned this week that recent versions of Fedora operating systems contained malicious code for backdoor access. Debian issued a similar warning.
                        • Bias (85%)
                          The author uses the word 'urgent' to describe the discovery of a Linux backdoor. This is an example of sensationalism and could be seen as biased towards creating fear in readers.
                          • > An “urgent” Linux backdoor was discovered entirely by accident this week.
                          • Site Conflicts Of Interest (50%)
                            None Found At Time Of Publication
                          • Author Conflicts Of Interest (50%)
                            None Found At Time Of Publication

                          84%

                          • Unique Points
                            • Red Hat released an urgent security alert warning that two versions of XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access. The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0 and impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).
                            • The nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH via the systemd software suite, potentially enabling a threat actor to break sshd authentication and gain unauthorized access to the system remotely under certain circumstances.
                            • Given that there are currently no reports of active exploitation in the wild, it is recommended that Fedora Linux 40 users downgrade to a 5.4 build as an abundance of caution.
                          • Accuracy
                            No Contradictions at Time Of Publication
                          • Deception (90%)
                            The article reports on a security alert issued by Red Hat regarding two versions of the XZ Utils library that have been backdoored with malicious code. The software supply chain compromise has a CVSS score of 10.0 and impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9). The article describes the complex obfuscations used to modify specific functions in the liblzma code, which allows an attacker to intercept and modify data interaction with this library, potentially enabling unauthorized remote access to a system under certain circumstances.
                            • The malicious backdoor introduced by CVE-2024-3094 is designed to interfere with the sshd daemon process for SSH via the systemd software suite.
                          • Fallacies (85%)
                            The article reports on a security alert issued by Red Hat regarding two versions of the XZ Utils library that have been backdoored with malicious code. The fallacy found in this article is an appeal to authority. While it's important to consider statements made by experts and organizations, it's also important to critically evaluate their claims and not blindly accept them as true without evidence or further investigation.
                            • ]The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).[
                            • Microsoft security researcher Andres Freund has been credited with discovering and reporting the issue on Friday.
                          • Bias (100%)
                            None Found At Time Of Publication
                          • Site Conflicts Of Interest (50%)
                            The article reports on a secret backdoor found in the XZ Utils Library that impacts major Linux distributions. The author of the article is not disclosed.
                            • .//liblzma build process extracting a prebuilt object file from a disguised test file existing in the source code
                              • modifying specific functions in the liblzma code
                              • Author Conflicts Of Interest (0%)
                                None Found At Time Of Publication