Linux XZ Utils and SSH Backdoor

This message is intended for U-M IT staff who are responsible for university Linux systems using XZ Utils versions 5.6.0 and 5.6.1. This may also be of interest to individuals using the above on personal computers.

Summary

Malicious code in XZ Utils versions ​​5.6.0 and 5.6.1 creates backdoor access via SSH in some Linux distributions. Note that:

  • Most of the affected distributions are beta releases.
  • Systems are only vulnerable if they accept inbound SSH connections.

Those using or managing systems with affected versions of XZ Utils should assume that this vulnerability is being or will be exploited by its creators, and should take action to remediate this vulnerability.

Problem

Malicious code in the compression library XZ Utils deployed to some Linux distributions can create a backdoor via compromised SSH connections for threat actors to access affected systems.

Affected Systems

Linux distributions using XZ Utils versions 5.6.0 and 5.6.1 are affected.

MacOS Homebrew users: MacOS Homebrew is being forcibly downgraded from 5.6.x versions to 5.4.6 as a precaution.

Action Items

Maintainers of your linux distribution will have distribution-specific guidance on how to remediate this vulnerability. Follow vendor directions to replace XZ Utils with an unaffected version.

All users of affected systems that accept inbound SSH connections should look for possible signs of compromise on those systems, focussing on the timeframe in which the vulnerable versions of XZ Utils were installed. Refer to Checking Systems for Signs of Compromise for guidance on checking your system(s).

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21). Those using or managing affected systems should take action to remediate this vulnerability as soon as possible.

Technical Details

Malicious code in the compression library XZ Utils, deployed to some Linux distributions, can create a backdoor for threat actors to access affected systems. The malicious code interferes with authentication in sshd via systemd. In some cases this can allow a threat actor to break sshd authentication and gain unauthorized remote access to the system.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.