A few days ago, we learned that the Python Package Index (PyPI) has temporarily restricted the creation of new accounts and package submissions to its portal following the emergence of a malware campaign through which attackers were uploading malicious packages to the directory in a coordinated manner. Now, Microsoft has detailed a new vulnerability in Linux distributions after it was discovered recently by a company employee.

Are Linux distros compromised?

A few days ago, a Microsoft employee named Andres Freund stumbled across a dangerous backdoor vulnerability in XZ Utils while investigating a slight, but mysterious, delay in SSH connectivity. For those unaware, XZ Utils is a data compression utility that is commonly present in popular Linux distros and while it is generally considered feature-complete, it turns out that someone had been embedding malicious code into the software, claiming that they were introducing "great new features".

This backdoor is present in versions 5.6.0 and 5.6.1 of XZ Utils, and it can be triggered remotely by an unprivileged system connecting to SSH ports, potentially leading to a compromise in security and performance degradation. Tagged as CVE-2024-3094, the backdoor exploit has been awarded a vulnerability score (CVSS) of 10.0, which is the maximum possible threat rating offered by the National Institute of Standards and Technology (NIST). While an investigation is still underway, the malware is known to affect many Linux distros, including Fedore Rawhide, Fedora 41, openSUSE Tumbleweed, openSUSE MicroOS, Kali Linux, and some unstable and experimental versions of Debian.

Am I safe? What should I do?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended organizations to downgrade to older versions of XZ Utils, specifically version 5.4.6 Stable. You can find out what version of XZ Utils you have on your Linux system by running the command xz --version in SSH.

In its own official guidance, Microsoft has recommended customers to leverage the company's security solutions, such as Defender Vulnerability Management, Defender for Cloud, and Microsoft Security Exposure Management. This will enable them to identify signs of potential impact from the backdoor vulnerability. You can find out more about how to use these tools by navigating to Microsoft's dedicated blog post here.