April 1, 2024 at 10:06AM
Multiple major Linux distributions have been hit by a supply chain attack through XZ Utils data compression library, resulting in a backdoor for unauthenticated access. The attack affects various Linux distributions, with tools available to detect the malicious library. Reverting to an untainted version of XZ Utils eliminates the threat, as advised by the US cybersecurity agency CISA.
From the meeting notes, we can deduce the following key points:
1. A supply chain attack involving a backdoored version of the XZ Utils data compression library has impacted major Linux distributions.
2. The backdoor was discovered by Microsoft software engineer Andres Freund in XZ Utils version 5.6.0 released in February 2024.
3. Red Hat tracks the issue as CVE-2024-3094, with a CVSS score of 10/10.
4. The backdoor interferes with authentication in sshd via systemd and could potentially allow attackers to gain access to affected systems.
5. The affected Linux distributions include Fedora Rawhide, Fedora Linux 40 beta, openSUSE Tumbleweed, openSUSE MicroOS, Kali Linux, and Arch Linux.
6. Debian and Ubuntu stable releases do not include the backdoored packages, and some other Linux distributions are also not affected.
7. Security researchers have released a script to scan for the malicious library, and the US cybersecurity agency CISA has advised downgrading XZ Utils to a clean version and checking systems for malicious activity.
8. Reverting the affected packages to use the 5.4.x versions of the library eliminates the backdoor, with XZ Utils 5.4.6 being the latest stable, uncompromised iteration.
These clear takeaways from the meeting notes provide a comprehensive understanding of the supply chain attack and its implications for Linux distributions.