Huge backdoor discovered that could compromise SSH logins on Linux

Updates required for Debian sid, Fedora 40, Fedora Rawhide, openSUSE Tumbleweed, and openSUSE MicroOS

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Microsoftemployee Andres Freund hassharedfinding odd symptoms in the xz package on Debian installations. Freund noticed that ssh login was requiring a lot of CPU and decided to investigate leading to the discovery.

The vulnerability has received the maximum security ratings with a CVS score of 10 and a Red Hat Product Security critical impact rating.

Red Hat assigned the issue CVE-2024-3094 but based on the severity and a previous major bug being namedHeartbleed, the community has cheekily named the vulnerability a morevulgar nameand inverted the Heartbleed logo.

Luckily the vulnerability has been caught early

Red Hatwrote: “Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.”

The malicious injection can be found only in the tarball download package of xz versions 5.6.0 and 5.6.1 libraries. The Git distribution does not include the M4 Macro that triggers the code. The second-stage artifacts are present in the Git repository for the injection during the build time, if the malicious M4 macro is present. Without the merge into the build, the 2nd-stage file is innocuous.

Users are recommended to check for xz version 5.6.0 or 5.6.1 in the followingdistributionsand downgrade to 5.4.6. If you cannot you should disable public facing SSH servers.

More from TechRadar Pro

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

James is a tech journalist covering interconnectivity and digital infrastructure as the web hosting editor at TechRadar Pro. James stays up to date with the latest web and internet trends by attending data center summits, WordPress conferences, and mingling with software and web developers. At TechRadar Pro, James is responsible for ensuring web hosting pages are as relevant and as helpful to readers as possible and is also looking for the best deals and coupon codes for web hosting. When James is not at his desk he enjoys hiking in the mountains close to his home in California.

Best free and public DNS server of 2024

Zoho turns to Nvidia NeMo to build proprietary LLMs

HPE reveals critical security bug affecting networking access points