CSMS # 60068209 - SECURITY NOTICE: Roll Back Certain Linux Distribution

U.S. Customs and Border Protection sent this bulletin at 04/05/2024 01:53 PM EDT

Cargo Systems Messaging Service

CSMS # 60068209 - SECURITY NOTICE: Roll Back Certain Linux Distribution

U.S. Customs and Border Protection (CBP) was recently notified of a Linux security vulnerability that potentially affects the trade community. Below is additional information intended for awareness.

On Friday, March 29, 2024, a Microsoft researcher discovered a supply chain compromise within “xz Utils” versions 5.6.0 and 5.6.1. This utility is used for data compression and is included in almost all Linux distributions.

If your organization is using any of the following Linux distributions, U.S. Customs and Border Protection (CBP) recommends the immediate roll back to an earlier, unaffected version:

Fedora Rawhide
Fedora 41
Debian testing (unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1)
openSUSE Tumbleweed
openSUSE MicroOS
Kali Linux

Background

xz Utils versions 5.6.0 and 5.6.1 were found to contain malicious code that allows for unauthorized remote access connections and code execution. This intentionally planted backdoor has been assigned CVE-2024-3094, with a Critical severity rating, and impacts any Linux or Unix based operating system running affected xz Utils versions.

Affected versions of xz Utils was scheduled to be released to mainstream Red Hat Enterprise Linux (RHEL) later this month. Thankfully, this vulnerability was caught in beta testing, averting a potential global crisis.

Affected Linux Distributions: Additional Information

DISTRIBUTION	ADVISORY	NOTES
Fedora Rawhide	https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users	Fedora Rawhide is the development distribution of Fedora Linux
Fedora 41	https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users	_
Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.	https://lists.debian.org/debian-security-announce/2024/msg00057.html	_
openSUSE Tumbleweed and openSUSE MicroOS	https://news.opensuse.org/2024/03/29/xz-backdoor/	Backdoored version of xz was included in Tumbleweed and MicroOS between March 7 and March 28
Kali Linux	https://www.kali.org/blog/about-the-xz-backdoor/	Backdoored version of xz was included in Kali Linux (xz-utils 5.6.0-0.2) between March 26 and March 28

Update your subscriptions, modify your password or e-mail address, or stop subscriptions at any time on your Subscriber Preferences Page. You will need to use your e-mail address to log in. If you have questions or problems with the subscription service, please contact subscriberhelp.govdelivery.com.

This service is provided to you at no charge by U.S. Customs and Border Protection.

Privacy Policy | GovDelivery is providing this information on behalf of U.S. Department of Homeland Security, and may not use the information for any other purposes.