CISA Alert of March 29, 2024:
CISA and the open source community are responding to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. This activity was assigned CVE-2024-3094. XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems.
CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA.
See the following advisory for more information:
In related coverage, @KaliLinux@infosec.exchange posted the following earlier today:
As of the information we have currently, the following is true. Should more information come to light, we will continue to keep this situation updated.
The xz package, starting from versions 5.6.0 to 5.6.1, was found to contain a backdoor. This backdoor could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized access to the entire system remotely. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability.
More information can be found at https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/ and https://www.openwall.com/lists/oss-security/2024/03/29/4
They later added:
If you would like to be sure that you are up to date and not affected by this vulnerability, you can do the following to upgrade your local version of the package:
sudo apt update && sudo apt install —only-upgrade liblzma5
More information on upgrading packages can be found here: https://www.kali.org/docs/general-use/updating-a-package/