XZ Utils backdoor
On 29 March 2024, software developer Andres Freund reported that he had found a maliciously introduced backdoor in the Linux utility xz within the liblzma library in versions 5.6.0 and 5.6.1 released in February 2024.[1]
xz is a software that is present in most Linux distributions. It is used for compressing and decompressing data. Liblzma is a library, a piece of software that other programs can use. It allows to compress and decompress using the Lempel–Ziv–Markov chain algorithm. The backdoor targeted systems running Debian and RPM-based systems running on the x86-64 architecture. At the time of discovery the backdoored version had not yet been widely deployed.[2]
Using the backdoor, an attacker who has a specific an Ed448 private key can get remote code execution capabilities on the affected Linux systems. The issue has been assigned a CVSS score of 10.0, the highest possible score.[3][4][5]
Background
[change | change source]The Microsoft employee and PostgreSQL developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid.[6] Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind,[7] a memory debugging tool.[8] Freund reported his finding to Openwall Project's open source security mailing list.[9] This brought it to the attention of various software vendors.[8] There is evidence that the attacker made efforts to hide the code.[10][11] The backdoor is made of multiple stages that act together.[12]
When the compromised version is incorporated into the operating system, it changes the behavior of OpenSSH's SSH server daemon. It abuses the systemd library, allowing the attacker to gain the same level of access as any authorized administrator.[12][8] According to the analysis by Red Hat, the backdoor can "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".[13]
An investigation found that the efforts to insert the backdoor took about three years. A user known as Jia Tan, with the nickname JiaT75 gained the trust of the developers. Jia Tan used sock puppetry to become co-maintainer of XZ Utils. They were able to release version 5.6.0 which included the backdoor. Jia Tan also released version 5.6.1, which added anomalous behaviour, that can be found using software testing.[8]
There are other people suspected of sockpuppetry: Jigar Kumar, krygorin4545, and misoeater91. Probably these names, as well as the name Hans Jensen are pseudonyms. It is likely that there are no people with these names, and if there are, they have no connection to the project, apart from the code they contributed.[14][15]
American security researcher Dave Aitel suggested that the approach fits the pattern attributable to APT29, an advanced persistent threat actor believed to be working on behalf of the Russian SVR.[16] Others have suggested that it could be any state actor or a non-state actor of considerable resources.[17]
Response
[change | change source]Immediate fixes
[change | change source]The US federal agency responsible for cyber security and infrastructure, the Cybersecurity and Infrastructure Security Agency, issued a security advisor. It recommends a previous uncompromised version should be installed on affected devices.[18] Linux software vendors, including Red Hat, SUSE, and Debian, have mirrored the CISA advisory, and reverted the updates for the affected packages to older versions.[13][19][20] GitHub has disabled the mirrors for the xz repository.[21]
Broader response
[change | change source]Computer scientist Alex Stamos said that "this could have been the most widespread and effective backdoor ever planted in any software product". He noted that the backdoor would have "given its creators a master key to any of the hundreds of millions of computers around the world that run SSH", if it had not been found.[22] In addition, the incident also started a discussion regarding the viability of having critical pieces of cyberinfrastructure depend on unpaid volunteers.[23]
References
[change | change source]- ↑ Corbet, Jonathan. "A backdoor in xz". LWN. Archived from the original on 1 April 2024. Retrieved 2 April 2024.
- ↑ "CVE-2024-3094". National Vulnerability Database. NIST. Archived from the original on 2 April 2024. Retrieved 2 April 2024.
- ↑ Gatlan, Sergiu. "Red Hat warns of backdoor in XZ tools used by most Linux distros". BleepingComputer. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
- ↑ Akamai Security Intelligence Group (1 April 2024). "XZ Utils Backdoor – Everything You Need to Know, and What You Can Do". Archived from the original on 2 April 2024. Retrieved 2 April 2024.
- ↑ James, Sam. "xz-utils backdoor situation (CVE-2024-3094)". GitHub. Archived from the original on 2 April 2024. Retrieved 2 April 2024.
- ↑ Zorz, Zeljka (29 March 2024). "Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094)". Help Net Security. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
- ↑ "oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise". www.openwall.com. Retrieved 2024-04-08.
- ↑ 8.0 8.1 8.2 8.3 Goodin, Dan (1 April 2024). "What we know about the xz Utils backdoor that almost infected the world". Ars Technica. Archived from the original on 1 April 2024. Retrieved 1 April 2024.
- ↑ "oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise". www.openwall.com. Archived from the original on 1 April 2024. Retrieved 2024-04-03.
- ↑ Larabel, Michael. "XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access". Phoronix. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
- ↑ O'Donnell-Welch, Lindsey (29 March 2024). "Red Hat, CISA Warn of XZ Utils Backdoor". Decipher. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
- ↑ 12.0 12.1 Claburn, Thomas. "Malicious backdoor spotted in Linux compression library xz". The Register. Archived from the original on 1 April 2024. Retrieved 1 April 2024.
- ↑ 13.0 13.1 "Urgent security alert for Fedora 41 and Fedora Rawhide users". Red Hat. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
- ↑ "Watching xz unfold from afar". Retrieved 6 April 2024.
- ↑ "Timeline summary of the backdoor attack on XZ Utils". Retrieved 7 April 2024.
- ↑ Greenberg, Andy. "The Mystery of 'Jia Tan,' the XZ Backdoor Mastermind". Wired. Archived from the original on 3 April 2024. Retrieved 3 April 2024.
- ↑ Claburn, Thomas. "Malicious xz backdoor reveals fragility of open source". The Register. Retrieved 8 April 2024.
- ↑ "Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094". CISA. 29 March 2024. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
- ↑ "SUSE addresses supply chain attack against xz compression library". SUSE Communities. SUSE. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
- ↑ Salvatore, Bonaccorso (29 March 2024). "[SECURITY] [DSA 5649-1] xz-utils security update". debian-security-announce (Mailing list). Retrieved 29 March 2024.
- ↑ Larabel, Michael (29 March 2024). "GitHub Disables The XZ Repository Following Today's Malicious Disclosure". Phoronix. Archived from the original on 31 March 2024. Retrieved 31 March 2024.
- ↑ Roose, Kevin. "Did One Guy Just Stop a Huge Cyberattack?". The New York Times. Archived from the original on 4 April 2024. Retrieved 4 April 2024.
- ↑ Khalid, Amrita (2 April 2024). "How one volunteer stopped a backdoor from exposing Linux systems worldwide". The Verge. Archived from the original on 4 April 2024. Retrieved 4 April 2024.