Red Hat has recently reported a malicious code embedded in XZ Utils versions 5.6.0 and 5.6.1, which are XZ format compression utilities that are often involved in Linux distributions. The vulnerability has been labelled as CVE-2024-3094. 

“This attack has echoes of SolarWinds with code silently injected into the supply chain using xz that given certain configurations would allow remote unauthenticated access,” says Saumitra Das, Vice President of Engineering at Qualys. “It is unclear what the full attack kill chain would be once the attack played out, but such attacks are generally very hard to detect at an early stage.”

According to the announcement, the malicious insertion in vulnerable versions is only accessible in full via a download package. 

Saumitra says, “These types of incidents further highlight the need for defense in depth to provide for detections at different stages of the kill chain. Shift left and Shift right. Shift left would not be sufficient in this scenario and observing system behavior on the network or the endpoint for malicious binaries, C2 or other anomalous activities would be needed to have a chance at detecting the attack. This also highlights the need for understanding our software supply chain better. SBOM is just the first step telling us about software ingredients. The next step would be to verify the source of those ingredients themselves. The GitHub committer who put this in, how that open source component is maintained and by whom are all relevant questions we will need to take into account.”