An expert has discovered a backdoor in the XZ tools used in many Linux distributions.

Red Hat warns of a backdoor in the XZ Utils data compression tools and libraries in the Fedora development and experimental versions.

Red Hat strongly advises users to immediately stop using systems running on Fedora development and experimental versions due to the presence of a backdoor in the latest versions of the "xz" tools and libraries.

Red Hat Information Risk and Security and Red Hat Product Security have determined that Fedora Linux 40 beta uses two versions of the xz libraries - xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm, which contain malicious code apparently intended for unauthorized access.

Experts added that Fedora 40 Linux does not appear to be vulnerable, and they recommend that all users of the Fedora 40 Linux beta version revert to version 5.4.x.

Microsoft engineer Andres Freund discovered a backdoor issue tracked as CVE-2024-3094 (CVSS score 10).

"YOU CANNOT IMMEDIATELY STOP USING ANY INSTANCES OF FEDORA RAWHIDE for work or personal activities. Fedora Rawhide will be rolled back to xz-5.4.x soon, and after that, instances of Fedora Rawhide can be safely deployed. Please note that Fedora Rawhide is a development distribution of Fedora Linux and serves as the foundation for future builds of Fedora Linux (in this case, the yet-to-be-released Fedora Linux 41)," says a warning published by Red Hat.

"It is currently unknown whether Fedora Linux 40 builds have been affected."

XZ is a popular data compression format implemented in almost all Linux distributions, including both community-developed and commercial versions.

Malicious code discovered by researchers is camouflaged and only present in the download package. The Git branch does not include the malicious code due to the absence of the necessary M4 macro to trigger the build of the malicious code. The malicious build compromises authentication in sshd through systemd.

The Debian security team has also issued a warning about the vulnerability and confirmed that the stable versions of Debian are not affected.

“Andres Freund discovered that the original archives of xz-utils, a compression utility in the XZ format, are compromised and embed malicious code into the resulting liblzma5 library during the build process. It is still unknown which stable versions of Debian are at risk. The contaminated packages were part of the testing, unstable, and experimental distributions of Debian, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01) to 5.6.1-1,” the warning states.

The package has been reverted to using version code 5.4.5 from the source we refer to as 5.6.1+really5.4.5-1. Users working with testing and unstable versions of Debian are advised to update the xz-utils packages.

CISA has also issued a warning recommending the switch to an uncompromised version of XZ (specifically 5.4.6 Stable) and to check for any malware.