RedHat on Friday released an "urgent security alert" warning that two versions of a popular data compression library called
XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.
The software supply chain compromise, tracked as
CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).
"Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code," the IBM subsidiary
said in an advisory.
"This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."
Specifically, the nefarious code baked into the code is
designed to interfere with the sshd daemon process for SSH (Secure Shell) via the
systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely "under the right circumstances."
Microsoft security researcher Andres Freund has been credited with discovering and reporting the issue on Friday. The heavily obfuscated malicious code is said to have been introduced over a series of four commits to
the Tukaani Project on GitHub by a user named JiaT75.
