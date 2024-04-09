A malicious actor has quietly spent the last two years embedding himself into the core team of maintainers of XZ Utils, a free, command-line data compression software widely used in Linux systems. The attacker slowly managed to integrate a backdoor into the software designed to interfere with SSHD and enable remote code execution via an SSH connection certificate. The backdoor was discovered days before it was released on several Linux systems around the world.

The threat actor is believed to be a developer with or using the name Jian Tan. Several security experts believe this attack on the supply chain could be state-sponsored.

What is XZ Utils and what is XZ backdoor?

XZ Utils and its underlying library liblzma is a free software tool that implements both XZ and LZMA, which are two compression/decompression algorithms widely used in Unix systems, including Linux systems. XZ Utils is used by many operations on these systems to compress and decompress data.

THE CVE-2024-3094 the backdoor found in XZ Utils was implemented to interfere with authentication in SSHD, the OpenSSH server software that manages SSH connections. The backdoor allowed an attacker to execute code remotely via an SSH connection certificate. Only versions 5.6.0 and 5.6.1 of XZ Utils are affected.

How the XZ Backdoor Was Implemented Carefully for Over Several Years

March 29, 2024, Microsoft Software Engineer Andres Freund reported the discovery of the backdoor. He discovered this when he became interested in the strange behavior of a Debian sid installation, such as SSH connections consuming a lot of CPU resources and Electoral door errors and decided to analyze the symptoms in depth. Freund explained that finding the backdoor in XZ was luckybecause it “really required a lot of coincidences.”

Still, it appears that the implementation of the backdoor was a very hush-hush process that lasted about two years. In 2021, a developer named Jian Tan, username JiaT75, appeared out of nowhere to start working on the XZ Utils code, which is not unusual as free software developers often work together on updating code day. Tan has contributed frequently to Project XZ since late 2021, slowly building trust in the community.

In May 2022, an unknown user using the fake name Dennis Ens complained on the XZ mailing list that the software update was not satisfactory. Another unknown user Jigar Kumar entered the chat. two times pressuring XZ Utils lead developer Lasse Collin to add a maintainer to the project. “There will be no progress until there is a new leader,” Jigar Kumar wrote. “Why wait for 5.4.0 to change maintainer? Why delay what your repo needs?

Meanwhile, Collin Express that “Jia Tan helped me get off the list with XZ Utils and he might play a bigger role in the future at least with XZ Utils. It’s clear that my resources are too limited (hence the many emails waiting for a response), so something has to change in the long term.” (Collin wrote Jia in his post while other posts refer to Jian. To add to the confusion, Jian's nickname is JiaT75.)

In the months that followed, Tan became increasingly involved with XZ Utils and became co-lead of the project. In February 2024, Tan released commits for XZ Utils versions 5.6.0 and 5.6.1, both of which contained the backdoor.

It is also interesting to note that as of July 2023, Tan asked to disable ifunc (GNU Indirect Function) on oss-fuzz, a public tool designed to detect software vulnerabilities. This was likely done to allow the XZ backdoor to go undetected once released, as the backdoor uses this feature to achieve its goals.

Finally, several maintainers of different Linux distributions were contacted by the attacker to include backdoored versions of XZ Utils in their own distributions. Richard WM Jones from RedHat talked about this on a forum: “Very annoying – the apparent backdoor author was in communication with me for several weeks trying to add xz 5.6.x to Fedora 40 and 41 because of its great new features. We even worked with him to fix the valgrind issue (which, it now turns out, was caused by the backdoor he added). We had to rush last night to resolve the issue after an unintentional breach of the embargo. It's been part of the xz project for 2 years, adding all kinds of binary test files, and to be honest, with this level of sophistication, I'd be wary of even older versions of xz until proven otherwise.” Tan also tried to include it in Ubuntu.

Must-read safety coverage

XZ backdoor: A very technical attack

In addition to the very elaborate social engineering discussed earlier in this article, the backdoor itself is very complex.

Principal Threat Researcher at Microsoft Thomas Roccia designed and published an infographic to show the entire operation leading to CVE-2024-3094 (Figure A).

Figure A

The backdoor is made up of several parts that were included in several commits on the XZ Utils GitHub, described in depth by Freund.

Gynvael Coldwind, Managing Director of HexArcana Cybersecurity GmbH, a cybersecurity company providing consulting and course services, wrote in a detailed analysis of the backdoor, “someone put a lot of effort into making this seem quite innocent and decently hidden.” From binary test files used to store the payload, to file carving, substitution ciphers, and an RC4 variant implemented in AWK, all done with only standard command line tools. And all this in 3 execution steps, and with an extension system to future-proof things and not have to modify the binary test files again.

DOWNLOAD: TechRepublic Premium Open Source Quick Glossary

Martin Zugec, director of technical solutions at Bitdefender, said in a statement provided to TechRepublic that “this appears to be a meticulously planned, multi-year attack, possibly supported by a state actor.” Given the massive effort invested and the low prevalence of vulnerable systems we are seeing, the threat actors responsible must be extremely unhappy at this time that their new weapon was discovered before it could be widely deployed.

Which operating systems are impacted by the XZ backdoor?

Thanks to Freund's discovery, the attack was stopped before it spread on a larger scale. Cybersecurity company Tenable exposed the following operating systems known to be affected by the XZ backdoor:

Rawhide fedora.

Fedora 40 beta.

Fedora 41.

Debian tests, unstable and distributions versions 5.5.1alpha-01 to 5.6.1-1.

openSUSE Tumbleweed.

open SUSE MicroOS.

Kali Linux.

ArchLinux.

In a blog post, Red Hat reported that no version of Red Hat Enterprise Linux is affected by CVE-2024-3094.

Debian has indicated that no stable version of the distribution is affectedAnd Ubuntu released that no released versions of Ubuntu were affected.

The MacOS homebrew package manager reverted XZ from 5.6.x to 5.4.6, an older but safe version. Bo Anderson, manager and member of the Homebrew technical steering committee, declared that Homebrew does not “…believe that Homebrew builds have been compromised (the backdoor only applies to deb and rpm builds) but that version 5.6.x is treated as no longer trusted and, As a precaution, we are forcing downgrades to version 5.4.6. »

How to Mitigate and Protect Against This XZ Backdoor Threat

Other systems could be affected, including those on which developers compiled vulnerable versions of XZ. Security company Binarly offers an online detection tool which could be used to test systems to see if they are affected by the XZ backdoor.

The version of XZ should be carefully checked, as versions 5.6.0 and 5.6.1 contain the backdoor. It is advisable to downgrade to an earlier, safe and known version of XZ Utils, such as 5.4.

Attacks on the software supply chain are on the rise

As previously reported on TechRepublic, software supply chain attacks are increasingly being used by malicious actors.

Yet typical attacks against the software supply chain primarily involve successfully compromising a key account in the software development process and using that account to pass malicious content to legitimate software, which is often detected fast enough. In the case of vulnerable parts of the code in the software without being noticed.

Attacks on the software supply chain aren't the only growing threats; other supply chain attacks based on IT products are also increasing.

Companies must therefore ensure that third parties are taken into account when monitoring their attack surface.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.