TL;DR

A backdoor was introduced into the XZ Linux utility via supply chain compromise. The backdoor impacts newer Linux distributions within the last 30 days. 

 

The details:

  • On March 29, 2024 (today), researchers identified a backdoor in the XZ Linux utility. Many standard Linux applications use the XZ utility, and it’s included in many distributions by default.  
  • The XZ Linux utility is used by a variety of software, most notably the Secure Shell Protocol (SSH). Other software versions besides the affected Linux distributions may be affected. At this time, we do not have a comprehensive list of what software may be built from the affected Linux distributions and subsequently their usage of the compromised XZ Linux utility. 
  • This issue is tracked as CVE-2024-3094.

 

Why we are telling you:

  • Linux distributions in your environment may be impacted if they use XZ 5.6.0 And 5.6.1
  • Expel and our assemblers are not impacted

 

Immediate recommendations:

  • Identify hosts running XZ version 5.6.0 or 5.6.1 and downgrade to 5.4.6 or earlier.
  • Involve your internal security and development teams to validate only the unaffected version of XZ being used in your environment.

 

References:

https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

https://www.openwall.com/lists/oss-security/2024/03/29/4