The BSI has issued a warning about a critical 10.0 vulnerability in the XZ tool within Linux. Only Fedora 41 and Fedora Rawhide in the Red Hat family are affected. Since the vulnerability has now become known in the media, attacks can also be expected.
The BSI - the Federal Office for Information Security - warns of a critical vulnerability that is distributed by malware in Linux distributions. The open source provider Red Hat announced on March 29.03.2024, 5.6.0 that in versions 5.6.1 and 2024 .3094 malicious code was discovered in the “xz” tools and libraries that allows authentication in sshd to be bypassed via systemd. The vulnerability was published as CVE-XNUMX-XNUMX.
Contaminated libraries in the download package
The injection, which is included in xz versions 5.6.0 and 5.6.1, is obfuscated and only fully included in the download package - the only thing missing from the Git distribution is the macro that triggers the creation of the malicious code. This then acts with sshd, the service that grants the user access to the system using the SSH protocol.
So far only Fedora 41 and Fedora Rawhide are affected within the Red Hat family. No versions of Red Hat Enterprise Linux (RHEL) are affected. However, there is a possibility that other distributions could also be affected.
CVSS score – 10 out of 10
The vulnerability was rated “critical” with the highest possible CVSS score – 10 out of 10. Further details on the exploitation of CVE-2024-3094 are now available. Various Linux distributors also published statements on the question of which operating systems could be affected.
xz is a universal data compression format that is included in almost every Linux distribution, both community projects and commercial product distributions. Essentially, it helps compress (and then decompress) large file formats into smaller, more manageable sizes for sharing through file transfer.
The vulnerability has received a lot of public attention since the first information was published on March 29th. In conjunction with its critical CVSS score, it can be assumed that attack attempts will take place in the short term.
More at BSI.Bund.de
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.