Microsoft has published detailed FAQs and guidance regarding a critical vulnerability found within XZ Utils. The vulnerability, which has the identifier CVE-2024-3094, has a critical severity rating and was discovered due to a software supply chain compromise. The XZ Utils tool is essentially used for data compression across various Linux distributions and is important for managing software packages, kernel images, and more.
Microsoft"s response includes key recommendations for users that are affected by this vulnerability. The company advises to downgrade to a secure version of XZ Utils as well as utilize Microsoft Defender Vulnerability Management and Defender for Cloud.
The vulnerability was discovered by Microsoft employee Andres Freund "by accident" when he was trying to investigate performance issues with SSH on a Debian system. Freund noticed unusual behavior related to the XZ Utils updates, leading him to uncover the intentional backdoor planted in versions 5.6.0 and 5.6.1 of XZ Utils.
The backdoor allows an attacker with the correct private key to exploit SSH operations, granting them root access to the system. The backdoor operates through a five-stage loader that manipulates the function resolution process, enabling the attacker to execute arbitrary commands remotely.
Here are the Linux distributions that are affected by the vulnerability:
Fedora Rawhide | https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users |
Fedora 41 | https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users |
Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1. | https://lists.debian.org/debian-security-announce/2024/msg00057.html |
openSUSE Tumbleweed and openSUSE MicroOS | https://news.opensuse.org/2024/03/29/xz-backdoor/ |
Kali Linux (Discovery supported) | https://www.kali.org/blog/about-the-xz-backdoor/ |
Notably, Red Hat Enterprise Linux (RHEL) versions are unaffected. Ubuntu, one of the most popular Linux distributions, also remains unaffected as it uses an older version 5.4 of XZ Utils.
In addition to the above, to check whether your Linux system is affected by the vulnerability,
- Run the command xz --version in your terminal to check the version of XZ Utils installed on your system. If the output shows a version equal to 5.6.0 or 5.6.1, your system may be vulnerable.
- If your system is running a vulnerable version of XZ Utils, it is crucial to take immediate action by updating your system, especially if you are using a .deb or .rpm-based distribution with glibc. Prioritize updating systems using systemd on publicly accessible SSH ports to mitigate immediate risks.
- If you suspect your system might have been compromised, you can also review audit logs for any anomalies that could indicate unauthorized access or unusual activities.
To read about Microsoft"s recommendations and detailed FAQs, you can visit the Microsoft Tech Community page here.