XZ uses a backdoor that was carefully installed in a multiyear supply chain attack.
- Johnny On the Spot
- Apr 2, 2024
- 4 min read
For most versions of Linux, XZ Utils is already installed and ready to use. It has a back door that lets the SolarWinds attack and the Log4Shell flaw happen again.
A flaw in the XZ code called liblzma lets hackers from far away get around secure shell (sshd) login and take over a computer that has it. The secret has been worked on for a long time by someone with maintainer-level access to the code.
Shock to the Community
You can use the hack on both 5.6.0 and 5.6.1 of XZ Utils. It's only used by Fedora, Debian, Kali, openSUSE, and Arch Linux when they're testing or not stable. This back door is not nearly as dangerous as if the malware had gone after a safe version of Linux.
It was hard to see, but a backdoor was found in an open-source component that is known and used by many people. The damage it could have done is a harsh warning of how easy it is for supply chain threats to hurt businesses.
"This supply chain attack shocked the OSS community because XZ Utils was a well-known and trusted project," experts from JFrog wrote in a blog post. "The attacker built up a credible reputation as an OSS developer over the span of multiple years and used highly obfuscated code in order to evade detection by code reviews."
Linux users and people who use systems like Unix can use XZ Util to change the size of files. If you work at Microsoft and are trying to figure out why liblzma has been acting funny on some Debian installations over the past few weeks, you can find the backdoor there. Freund saw that the back door wasn't just a Debian issue. The source XZ storage and the files that were saved in tarballs also had trouble with it. On March 29, the threat was made public.
It was a weekend of urgent warnings from the security teams of Fedora, Debian, openSUSE, Kali, and Arch to organizations using affected Linux releases. They told them to go back to earlier, safer versions right away to lower the risk of remote code
execution.
Maximum Severity Vuln
The backdoor was given a CVSS score of 10 to make it stand out. Its name was CVE-2024-3094. Fedora gets most of its money and support from Red Hat. The US government has joined the many others who have asked companies that use Linux distributions that can be hacked to roll back their XZ Utils to an earlier version and report any behavior to the government.
In all of them, people were told how to quickly check their programs for XZ versions that have been hacked. Because Red Hat updated XZ, it will be set up the same way it always is when it changes. The business said that customers who are worried about attacks can make the change right away if they don't want to wait.
Binarly put out a free tool today that helps businesses find XZs that have backdoors.
"This bad code could have been used by a lot of people if it had been added to stable OS releases in a number of Linux distributions," says Scott Caveza, a staff research engineer at Tenable. "The longer this went unnoticed, the greater the potential for more malicious code from whomever this malicious actor might be."
Tenable said in a Frequently Asked Questions (FAQ) that the hack changed how liblzma works, which let the hackers steal and change library data. "In the example observed by Freund, under certain conditions, this backdoor could allow a malicious actor to 'break sshd authentication,' allowing the attacker to gain access to an affected system," said the group.
Behind the back door is where the "Maintainer" is kept.
Over a period of several years, malware was added to the package using the account of someone who maintained XZ Util. The back door is now very dangerous. A blog post by Evan Boehs, a security expert, got a lot of attention. Back in 2021, Jia Tan made a GitHub account and began making strange changes to open source projects. That's when he started getting into trouble.
Along with other people, Jia Tan was able to gain the trust of the XZ group and add the secret, and change the software.
"All the evidence points to social manipulation being used by a person with the sole end goal of inserting a backdoor," said Boehs. "Basically, there was never a genuine effort to maintain the project, only to gain enough trust to insert [the backdoor] quietly."
You need to show that you can be trusted most of the time before you can make changes to a file. Boehs says that programs let new members join after they look at the risk and the need.
"Jia made people think they needed more maintainers and boosted confidence." He said that some shady people take advantage of the trust that people have in our society. You have to trust them for them to let you in. It takes time to build trust. Jia saw what was going on.
Boehs says it's not clear how much to trust Jia Tan's sources. Second only to himself, Jia Tan is the person who works on the project the most. He promised something for the first time in 2022 and has since made many more. Jia Tan was banned from GitHub.
A worker at Qualys named Saumitra Das said that other businesses might have the same issues XZ Util did.
"Many critical libraries in open source are being maintained by volunteers in the community who are not paid for it and can be under pressure due to their personal issues," Das says.
It's great that someone can help them with their work, even if it's just for a short time. "Over time, these kinds of people can gain more control over the code," he says.
