This message is intended for U-M IT staff who are responsible for university Linux systems using XZ Utils versions 5.6.0 and 5.6.1. This may also be of interest to individuals using the above on personal computers.
Summary
Malicious code in XZ Utils versions 5.6.0 and 5.6.1 creates backdoor access via SSH in some Linux distributions. Note that:
- Most of the affected distributions are beta releases.
- Systems are only vulnerable if they accept inbound SSH connections.
Those using or managing systems with affected versions of XZ Utils should assume that this vulnerability is being or will be exploited by its creators, and should take action to remediate this vulnerability.
Problem
Malicious code in the compression library XZ Utils deployed to some Linux distributions can create a backdoor via compromised SSH connections for threat actors to access affected systems.
Affected Systems
Linux distributions using XZ Utils versions 5.6.0 and 5.6.1 are affected.
MacOS Homebrew users: MacOS Homebrew is being forcibly downgraded from 5.6.x versions to 5.4.6 as a precaution.
Action Items
Maintainers of your linux distribution will have distribution-specific guidance on how to remediate this vulnerability. Follow vendor directions to replace XZ Utils with an unaffected version.
All users of affected systems that accept inbound SSH connections should look for possible signs of compromise on those systems, focussing on the timeframe in which the vulnerable versions of XZ Utils were installed. Refer to Checking Systems for Signs of Compromise for guidance on checking your system(s).
The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21). Those using or managing affected systems should take action to remediate this vulnerability as soon as possible.
Technical Details
Malicious code in the compression library XZ Utils, deployed to some Linux distributions, can create a backdoor for threat actors to access affected systems. The malicious code interferes with authentication in sshd via systemd. In some cases this can allow a threat actor to break sshd authentication and gain unauthorized remote access to the system.