Executive Summary
On March 29, 2024, Red Hat warned users to immediately stop using systems running Fedora development and experimental versions because of a backdoor, tracked as CVE-2024-3094, found in the latest XZ Utils data compression tools and libraries. Red Hat has warned all users to discontinue any usage of Fedora 41 of Fedora Rawhide for work or personnel use and has reverted XZ Utils from the 5.4.X in Fedora 40 Beta. Other Linux distributions impacted by the supply chain include Kali Linux, openSUSE Tumbleweed, openSUSE MicroOS, and Debian testing, unstable and experimental versions.
Community Threat Assessment
Due to the temporary reversion of XZ 5.4.X and suggested suspension of Fedora 41 of Fedora Rawhide for work or personnel use by Red Hat, the RH-ISAC Intelligence Team assesses that CVE-2024-3094 presents a substantial threat to organizations in the retail and hospitality sector. RH-ISAC recommends Core Members review the information included in this report and the linked, which contains additional details regarding the campaign, which contains additional details regarding the vulnerability
Technical Details
XZ Utils is a general-purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions. XZ helps compress, and then decompress, large file formats into smaller, more manageable sizes for sharing via file transfers.
CVE-2024-3094 is a reported supply chain compromise of the XZ utility libraries that enables remote and unauthenticated interference with full SSHD authentication, potentially enabling an attacker to gain unauthorized access to the system.
Current investigation indicates that the packages are only present in Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. No versions of Red Hat Enterprise Linux (RHEL) are affected.
The malicious CVE-2024-3094 injection present in the XZ versions 5.6.0 and 5.6.1 libraries is only included in the tarball download package. The current Git distribution lacks the M4 macro that triggers the build of the malicious code that enables CVE-2024-3094. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present. Without the merge into the build, the 2nd-stage file is not malicious.