FHN 
Red Hat has raised a critical alert after a supply chain attack was discovered in the widely used xz compression tool. Security researchers found that certain recent versions of the library were tampered with, introducing hidden malicious functionality.
This issue, identified as CVE-2024-3094, impacts versions 5.6.0 and 5.6.1. The injected code is designed to stay hidden during normal review processes and only becomes active during the software build stage. Once active, it can interfere with SSH authentication, potentially allowing attackers to gain unauthorized access to affected systems.
Technical Impact and Mitigation
The attack is highly sophisticated, as the malicious components are not fully visible in the main source code. Instead, they rely on additional build-time elements to assemble and execute the payload. This makes detection difficult using standard code inspection methods.
Once deployed, the compromised library can alter how SSH authentication behaves, creating an opportunity for attackers to bypass normal security checks and access systems remotely.
Key highlights:
- CVE-2024-3094 affects xz and xz-libs versions 5.6.0 and 5.6.1
- Malicious code is triggered during the build process
- Targets SSH authentication mechanisms
- Impacts Fedora Rawhide, Fedora 40 Beta, Debian unstable, and openSUSE
- Red Hat Enterprise Linux (RHEL) remains unaffected
Immediate Actions
- Downgrade to trusted xz version 5.4.x
- Stop using Fedora Rawhide until systems are secured
- Apply official patches and updates from Red Hat
- Monitor systems for unusual SSH behavior
Even though active exploitation has not been widely reported, the nature of this compromise makes it a high-risk issue. Prompt action is necessary to protect systems from potential unauthorized access.
About the Author
