A backdoor just discovered in XZ Utils, a data compression utility found in nearly every Linux distribution, has revived the ghosts of previous major software supply chain security scares like the Log4Shell vulnerability and the SolarWinds attack.
The backdoor is embedded in an XZ library called liblzma and offers remote attackers a way to bypass Secure Shell (sshd) authentication and thus gain full access to an affected system. It appears that an individual with maintainer-level access to the code deliberately introduced the backdoor in a painstakingly executed, multi-year attack.
The backdoor affects XZ Utils 5.6.0 and 5.6.1, which are versions of the utility currently used only in unstable and beta releases of Fedora, Debian, Kali, open SUSE, and Arch Linux. As a result, the potential threat with this backdoor is considerably more limited for now than if the malware had managed to penetrate a stable Linux distribution.
Even so, the fact that someone managed to slip a nearly imperceptible backdoor into a trusted and widely used open source component – and the potential havoc it could cause – came as a painful wake-up call about how vulnerable organizations are to hackers. attacks via the supply chain. chain.
“This supply chain attack came as a shock to the OSS community, as XZ Utils was considered a trusted and carefully vetted project,” JFrog researchers said in a blog post. “The attacker built a credible reputation as an OSS developer over several years and used highly obfuscated code to evade detection by code reviews.”
XZ Helpful is a command-line utility for compressing and decompressing data in Linux and other Unix-like operating systems. Microsoft developer Andres Freund discovered the backdoor in the software while investigating strange behavior in recent weeks regarding liblzma on some Debian installations. After initially thinking that the backdoor was purely a Debian issue, Freund discovered that the issue actually impacted the upstream XZ repository and associated tarballs or archive files. Him publicly revealed the threat on March 29.
Over the weekend, security teams teamed up Fedora, Debian, openSUSE, Kali, AND Bow has issued urgent advisories advising organizations using affected Linux versions to immediately revert to older, more stable versions of their software to mitigate the potential risk of remote code execution.
Vul. maximum gravity
Red Hat, Fedora’s primary sponsor and contributor, has assigned the backdoor a vulnerability identifier (CVE-2024-3094) and rated it as a risk of highest severity (CVSS score of 10) to draw attention to the threat. The US Cybersecurity and Infrastructure Security Agency (CISA) has joined the chorus of voices urging organizations using interested Linux distributions to downgrade their XZ Utilis to a previous version and to look for any potential backdoor-related activity and report any findings to the agency.
All alerts offered tips to users on how to quickly check for backdoor XZ versions in their code. Red Hat has released an update that reverts XZ to previous versions, which the company will make available through the normal update process. But users concerned about potential attacks can force the update if they don’t want to wait for it to become available through the normal process, the company said.
Today Binarly has released a free tool which organizations can also use to scan for XZ backdoors.
“If this malicious code had been introduced into stable versions of the operating system in multiple Linux distributions, we could have seen mass exploitation,” says Scott Caveza, research engineer at Tenable. “The longer this goes unnoticed, the greater the potential for more malicious code to arrive from whoever this malicious actor may be.”
In an FAQ, Tenable described the backdoor such as modifying functions within liblzma in a way that allows attackers to intercept and modify data within the library. “In the example observed by Freund, under certain conditions, this backdoor could allow an attacker to “break sshd authentication,” allowing the attacker to access an affected system,” the researchers noted.
XZ Utils “Maintainer” behind the backdoor
What makes the backdoor particularly problematic is the fact that someone using an account belonging to an XZ Util maintainer embedded the malware into the package in what appears to have been a carefully planned, multi-year operation. In a widely cited blog post, Security researcher Evan Boehs traced the malicious activity back to 2021, when an individual using the name Jia Tan created a GitHub account and almost immediately began making suspicious changes to some open source projects.
The blog post provides a detailed timeline of the steps Jia Tan and a couple of other people took to gradually build enough trust within the XZ community to make changes to the software and possibly introduce the backdoor.
“All evidence points to social manipulation being used by one person with the sole end goal of inserting a backdoor,” Boehs tells Dark Reading. “Basically there was never a genuine effort to maintain the project, but only to gain enough trust in it to be able to include it [the backdoor] quietly.”
Typically, gaining access to the repository requires an individual to establish a sense of trust. Often, projects give access to new commitments to individuals only when there is a need and after a risk assessment, Boehs says.
“In this case, Jia created a file [seemingly] legitimate need for more maintainers… and then started to build trust. Our society is built on trust, and occasionally some crafty people exploit it,” she notes. “Getting permission requires trust. Trust takes time to establish. Jia was there for the long game.”
Boehs says it’s unclear when exactly Jia Tan became a trusted member of the depot. But soon after her first commitment in 2022, Jia Tan became a regular collaborator and is currently the second most active in the project. GitHub has since suspended Jia Tan’s account.
Saumitra Das, vice president of engineering at Qualys, says what happened with XZ Util can happen elsewhere.
“Many critical open source libraries are run by volunteers in the community who don’t get paid for it and may be under pressure due to their own personal issues,” says Das.
Maintainers who are under pressure often welcome contributors who are willing to dedicate even a little time to their projects. “Over time, these people can gain more control over the code,” as was the case with XZ Utils, he says.