cross-posted from: https://discuss.tchncs.de/post/13377347
openSUSE addresses supply chain attack against xz compression library
openSUSE maintainers received notification of a supply chain attack against the “xz” compression tool and “liblzma5” library.
Background
Security Researcher Andres Freund reported to Debian that the xz / liblzma library had been backdoored.
This backdoor was introduced in the upstream github xz project with release 5.6.0 in February 2024.
Our rolling release distribution openSUSE Tumbleweed and openSUSE MicroOS included this version between March 7th and March 28th.
SUSE Linux Enterprise and Leap are built in isolation from openSUSE. Code, functionality and characteristics of Tumbleweed are not automatically introduced in SUSE Linux Enterprise and/or Leap. It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap.
Impact
Current research indicates that the backdoor is active in the SSH Daemon, allowing malicious actors to access systems where SSH is exposed to the internet.
As of March 29th reverse engineering of the backdoor is still ongoing.
Mitigations
openSUSE Maintainers have rolled back the version of xz on Tumbleweed on March 28th and have released a new Tumbleweed snapshot (20240328 or later) that was built from a safe backup.
The reversed version is versioned
5.6.1.revertto5.4
and can be queried withrpm -q liblzma5
.User recommendation
For our openSUSE Tumbleweed users where SSH is exposed to the internet we recommend installing fresh, as it’s unknown if the backdoor has been exploited. Due to the sophisticated nature of the backdoor an on-system detection of a breach is likely not possible. Also rotation of any credentials that could have been fetched from the system is highly recommended. Otherwise, simply update to openSUSE Tumbleweed 20240328 or later and reboot the system.
More Information about openSUSE:
If you run a rolling release distro, or one that tends to ship more updated packages, you may need to check up on this and make sure you're not using the compromised versions of the xz compression library.
Here is a site detailing the current known history of how the malicious exploiter got access to the repository and what he had pushes to it.
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Side note for Arch (btw) users: If you run
xz --version
, it will report to be version 5.6.1, even if it's the updated version. This is because the updated and presumably safe package is xz 5.6.1-2.The backdoor didn't really affect Arch, because it only compromised SSH when it was linked against liblzma, which is a requirement for libsystemd. However, Arch doesn't link it that way, so it's safe to use. You should still update though, because we don't know if the backdoor could be used in any other way.