Malicious code inserted into the open source library XZ Utils, a widely used package found in major Linux distributions, is also capable of facilitating remote code execution, a new analysis has revealed.
The audacious supply chain compromise, identified as CVE-2024-3094 (CVSS score: 10.0), came to light last week when Microsoft engineer and PostgreSQL developer Andres Freund alerted to the presence of a backdoor in the utility data compression that provides remote attackers with a way to bypass secure shell authentication and gain full access to an affected system.
XZ Utils is a command-line tool for compressing and decompressing data in Linux and other Unix-like operating systems.
The malicious code is said to have been introduced deliberately by one of the project’s maintainers called Jia Tan (aka Jia Cheong Tan or JiaT75) in what appears to be a meticulous attack over several years. The GitHub user account was created in 2021. The identity of the actors is currently unknown.
“The threat actor began contributing to the XZ project nearly two years ago, slowly building credibility until he was assigned maintainer responsibilities,” Akamai said in a report.
In a further act of clever social engineering, sockpuppet accounts like Jigar Kumar and Dennis Ens are believed having been used to submit feature requests and report a series of problems in the software in order to force the original maintainer – Lasse Collin of the Tukaani project – to add a new co-maintainer to the repository.
Enter Jia Tan, who introduced a series of changes to XZ Utils in 2023, eventually leading to the release of version 5.6.0 in February 2024. They also hosted a sophisticated backdoor.
“As I mentioned in previous emails, Jia Tan may have a larger role in the project in the future,” Collin said in an exchange with Kumar in June 2022.
“He helped a lot off the list and is practically already a co-maintainer. 🙂 I know not much has happened in the git repository yet but things happen in small steps. In any case some changes in the maintainer are already underway at least for XZ Utilis.”
The backdoor affects the tarballs of XZ Utils versions 5.6.0 and 5.6.1, the latter of which contains an improved version of the same rig. Collins has since acknowledged the project’s breach, stating that both tarballs were created and signed by Jia Tan, and that they only had access to the now disabled GitHub repository.
“This is clearly a very complex state-sponsored operation, with an impressive level of sophistication and multi-year planning,” firmware security firm Binarly said. “Such a complex and professionally designed complete plant structure is not developed for a one-time operation.”
A deeper examination of the backdoor by open source cryptographer Filippo Valsorda also revealed that the affected versions allow specific remote attackers to send arbitrary payloads via an SSH certificate that will be executed in a way that bypasses authentication protocols, effectively taking control over the victim machine.
“It appears that the backdoor is added to the SSH daemon on the vulnerable machine, allowing a remote attacker to execute arbitrary code,” Akamai said. “This means that any machine with the vulnerable package that exposes SSH to the Internet is potentially vulnerable.”
It goes without saying that Freund’s accidental discovery is one of the most significant supply chain attacks discovered to date and could have been a major security disaster if the package had been integrated into stable versions of Linux distributions.
“The most notable part of this supply chain attack is the extreme level of dedication of the attacker, who worked more than two years to establish himself as a legitimate maintainer, offering to take work on various OSS projects and committing code to multiple projects at order to avoid detection,” JFrog said.
As with Apache Log4j, the incident once again highlights the reliance on open source software and volunteer-run projects and the consequences they could entail if they were compromised or had a serious vulnerability.
“The bigger solution is for organizations to adopt tools and processes that allow them to identify signs of tampering and malicious functionality within both open source and commercial code used in their development pipeline,” ReversingLabs said.