Investigadores de la Open Source Security Foundation han encontrado una puerta trasera (o backdoor) en XZ Utils, una herramienta de compresión ampliamente usada en las distribuciones hashtagLinux, incluyendo las de hashtagRedHat y hashtagDebian.
El código malicioso fue introducido en las versiones 5.6.0 y 5.6.1 de XZ Utils, pero no se tiene constancia de que se hayan incorporado a ninguna versión de las principales distribuciones. Sin embargo, es posible que esté presente en versiones de prueba o experimentales.
La situación podría haber sido extremadamente grave si tenemos en cuenta que Linux es un sistema ampliamente usado en los servidores de Internet.
Versiones afectadas y medidas de mitigación
Las principales distribuciones de Linux recomiendan volver a versiones anteriores a la inclusión de XZ Utils 5.6.0 y 5.6.1 o migrar a versiones actualizadas.
Recomendable consultar la página de notificación de su distribución específica para actualizaciones adicionales y orientación.
| Distro | Affected Version |
| Red Hat | Fedora Linux 40 and Fedora Rawhide |
| Debian | No Debian stable versions are known to be affected. Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1. |
| Kali | The impact of this vulnerability affected Kali between March 26-29. If you updated your Kali installation on or after March 26, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before March 26, you are not affected by this backdoor vulnerability. |
| OpenSUSE | OpenSUSE Tumbleweed and OpenSUSE Micro OS between March 7th and March 28th 2024. |
| Alpine | 5.6 versions prior to 5.6.1-r2 |
| Arch |
|
Esta consulta busca las versiones de XZ Utils 5.6.0 o 5.6.1
//This query searches for XZ Utils versions 5.6.0 or 5.6.1, requires the Host Insights module. config case_sensitive = false | preset = host_inventory_applications | filter (application_name contains "XZ-UTILS" AND version = "5.6.0") OR (application_name contains "XZ-UTILS" AND version = "5.6.1")
Esta consulta tiene como objetivo identificar los hosts que ejecutan XZ Utils versiones 5.6.0 o 5.6.1 que han recibido conexiones SSH entrantes desde direcciones ip externas
//This query aims to identify hosts running XZ Utils versions 5.6.0 or 5.6.1 that have received inbound SSH connections from external ip addresses, requires the Host Insights module.
config case_sensitive = false
| preset = host_inventory_applications
| filter (application_name contains "xz-util" AND version = "5.6.0") OR (application_name contains "xz-util" AND version = "5.6.1")
| fields endpoint_name, application_name, version
| join type = left (
dataset = xdr_data
| filter agent_os_type = ENUM.AGENT_OS_LINUX
| filter event_type = ENUM.NETWORK
| filter actor_process_image_name in ("ssh", "sshd")
| filter action_remote_ip != null
| alter Ip_Address = action_remote_ip
| alter IP_Address_Private = if (incidr(Ip_Address, "10.0.0.0/8") = true, "TRUE",
if (incidr(Ip_Address, "127.0.0.0/8") = true, "TRUE",
if (incidr(Ip_Address, "169.254.0.0/16") = true, "TRUE",
if (incidr(Ip_Address, "172.16.0.0/12") = true, "TRUE",
if (incidr(Ip_Address, "192.168.0.0/16") = true, "TRUE",
if (incidr6(Ip_Address, "fe80::/64") = true, "TRUE",
if (incidr6(Ip_Address, "::/128") = true, "TRUE",
if (incidr6(Ip_Address, "::1/128") = true, "TRUE",
if (incidr6(Ip_Address, "fc00::/7") = true, "TRUE", "FALSE")))))))))
| filter (IP_Address_Private != "TRUE")
| fields agent_hostname, actor_process_image_name, Ip_Address
) as ssh_network ssh_network.agent_hostname = endpoint_name
|dedup endpoint_name
