Malicious backdoor code embedded in popular Linux tool, CISA and Red Hat warn

The software company Red Hat and the nation’s top cybersecurity agency released a Good Friday warning about malicious code being embedded in a popular Linux tool.

The issue — tagged as CVE-2024-3094 — affects XZ Utils, a tool that helps compress large file formats into smaller more manageable ones for sharing via file transfer. The tool is present in nearly every Linux distribution, according to Red Hat. The company released an advisory about the issue on Friday afternoon.

The Cybersecurity and Infrastructure Security Agency said that alongside the open source community they are “responding to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1” which “may allow unauthorized access to affected systems.” 

“CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA,” the agency said in a notice.

Red Hat’s security team learned of the vulnerability on Thursday, finding that the latest version of XZ contained malicious code apparently intended for unauthorized access. 

CISA declined to provide more information beyond what was in its advisory. Red Hat did not respond to requests for comment about how many systems were affected, who was behind the campaign or where most victims are located. 

Red Hat’s advisory notes in all caps that certain users should stop usage for work or personal activity “immediately” and provided links to updates that can be used to mitigate the vulnerability. 

Under the right circumstances, a hacker could use the vulnerability to break in remotely and have access to the entire system. 

“Current investigation indicates that the packages are only present in Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. No versions of Red Hat Enterprise Linux (RHEL) are affected,” Red Hat explained.  

“Other distributions may also be affected. Users of other distributions should consult with their distributors for guidance. For both personal and business activities, immediately stop using Fedora 41 or Fedora Rawhide. If you are using an affected distribution in a business setting, we encourage you to contact your information security team for next steps.”

Microsoft engineer Andres Freund discovered the issue this week, with researchers finding issues going back as far as March 26. Some experts believe it is a sophisticated effort to target open source supply chains and several researchers are racing to discover the source of the malicious code. 

Cybersecurity expert John Bambenek said it seems the library at issue “tends to be installed by default on modern Linux distributions so organizations should immediately prioritize downgrading the package until a safe update is released, even if they don’t use the tools themselves."