XZ Utils backdoor explained
XZ Utils backdoor |
Patched: | [1] |
Discoverer: | Andres Freund |
Affected Software: | xz / liblzma library |
Between November 2021 and February 2024, a malicious backdoor was introduced to the Linux utility xz within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name "Jia Tan".[2] The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution capabilities on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number and has been assigned a CVSS score of 10.0, the highest possible score.[3] [4]
While xz is commonly present in most Linux distributions, at the time of discovery the backdoored version had not yet been widely deployed to production systems, but was present in development versions of major distributions.[5] The backdoor was discovered by the software developer Andres Freund, who announced his findings on 29 March 2024.[6]
Background
Microsoft employee and PostgreSQL developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid.[7] Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind, a memory debugging tool.[8] Freund reported his finding to Openwall Project's open source security mailing list,[9] which brought it to the attention of various software vendors. The attacker made efforts to obfuscate the code,[10] as the backdoor consists of multiple stages that act together.[11]
Once the compromised version is incorporated into the operating system, it alters the behavior of OpenSSH's SSH server daemon by abusing the systemd library, allowing the attacker to gain administrator access. According to the analysis by Red Hat, the backdoor can "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".[12]
A subsequent investigation found that the campaign to insert the backdoor into the XZ Utils project was a culmination of approximately three years of effort, between November 2021 and February 2024, by a user going by the name Jia Tan and the nickname JiaT75 to gain access to a position of trust within the project. After a period of pressure on the founder and head maintainer to hand over the control of the project via apparent sock puppetry, Jia Tan gained the position of co-maintainer of XZ Utils and was able to sign off on version 5.6.0, which introduced the backdoor, and version 5.6.1, which patched some anomalous behavior that could have been apparent during software testing of the operating system.
Some of the suspected sock puppetry pseudonyms include accounts with usernames like Jigar Kumar, krygorin4545, and misoeater91. It is suspected that the names Jia Tan, as well as the supposed code author Hans Jansen (for versions 5.6.0 and 5.6.1) are pseudonyms chosen by the participants of the campaign. Neither have any sort of visible public presence in software development beyond the short few years of the campaign.[13] [14]
The backdoor was notable for its level of sophistication and for the fact that the perpetrator practiced a high level of operational security for a long period of time while working to attain a position of trust. American security researcher Dave Aitel has suggested that it fits the pattern attributable to APT29, an advanced persistent threat actor believed to be working on behalf of the Russian SVR.[15] Journalist Thomas Claburn suggested that it could be any state actor or a non-state actor with considerable resources.[16]
Mechanism
The malicious code is known to be in 5.6.0 and 5.6.1 releases of the XZ Utils software package. The exploit remains dormant unless a specific third-party patch of the SSH server is used. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely. The malicious mechanism consists of two compressed test files that contain the malicious binary code. These files are available in the git repository, but remain dormant unless extracted and injected into the program. The code uses the glibc IFUNC
mechanism to replace an existing function in OpenSSH called with a malicious version. OpenSSH normally does not load liblzma, but a common third-party patch used by several Linux distributions causes it to load libsystemd, which in turn loads lzma. A modified version of was included in the release tar file uploaded on GitHub, which extracts a script that performs the actual injection into . This modified m4 file was not present in the git repository; it was only available from tar files released by the maintainer separate from git. The script appears to perform the injection only when the system is being built on an x86-64 Linux system that uses glibc and GCC and is being built via dpkg or rpm.
Response
Remediation
The US federal Cybersecurity and Infrastructure Security Agency has issued a security advisory recommending that the affected devices should roll back to a previous uncompromised version.[17] Linux software vendors, including Red Hat, SUSE, and Debian, have reverted the affected packages to older versions.[18] [19] GitHub disabled the mirrors for the xz repository before subsequently restoring them.[20]
Canonical postponed the beta release of Ubuntu 24.04 LTS and its flavours by a week and opted for a complete binary rebuild of all the distribution's packages.[21] Although the stable version of Ubuntu was unaffected, upstream versions were. This precautionary measure was taken because Canonical could not guarantee by the original release deadline that the discovered backdoor did not affect additional packages during compilation.[22]
Broader response
Computer scientist Alex Stamos opined that "this could have been the most widespread and effective backdoor ever planted in any software product", noting that had the backdoor remained undetected, it would have "given its creators a master key to any of the hundreds of millions of computers around the world that run SSH".[23] In addition, the incident also started a discussion regarding the viability of having critical pieces of cyberinfrastructure depend on unpaid volunteers.[24]
External links
Notes and References
- Web site: Collin . Lasse . Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094). . GitHub . 2024-06-19 . patch-release.
- Web site: James . Sam . xz-utils backdoor situation (CVE-2024-3094) . 2 April 2024 . GitHub . en . 2 April 2024 . https://web.archive.org/web/20240402010500/https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 . live .
- Web site: Gatlan . Sergiu . Red Hat warns of backdoor in XZ tools used by most Linux distros . BleepingComputer . 29 March 2024 . en-us . 29 March 2024 . https://web.archive.org/web/20240329192759/https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/ . live .
- Web site: XZ Utils Backdoor – Everything You Need to Know, and What You Can Do . Akamai Security Intelligence Group . 1 April 2024 . 2 April 2024 . 2 April 2024 . https://web.archive.org/web/20240402014912/https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know . live .
- Web site: CVE-2024-3094 . . NIST . 2 April 2024 . 2 April 2024 . https://web.archive.org/web/20240402031933/https://nvd.nist.gov/vuln/detail/CVE-2024-3094 . live .
- Web site: A backdoor in xz . Jonathan . Corbet . LWN . 2 April 2024 . 1 April 2024 . https://web.archive.org/web/20240401224317/https://lwn.net/Articles/967180/ . live .
- Web site: Zorz . Zeljka . Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094) . Help Net Security . 29 March 2024 . 29 March 2024 . 29 March 2024 . https://web.archive.org/web/20240329192805/https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/ . live .
- Web site: Goodin . Dan . What we know about the xz Utils backdoor that almost infected the world . Ars Technica . 1 April 2024 . en-us . 1 April 2024 . 1 April 2024 . https://web.archive.org/web/20240401072048/https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/ . live .
- Web site: oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise . 2024-04-03 . www.openwall.com . 1 April 2024 . https://web.archive.org/web/20240401131219/https://www.openwall.com/lists/oss-security/2024/03/29/4 . live .
- Web site: O'Donnell-Welch . Lindsey . Red Hat, CISA Warn of XZ Utils Backdoor . Decipher . 29 March 2024 . en . 29 March 2024 . 29 March 2024 . https://web.archive.org/web/20240329204451/https://duo.com/decipher/red-hat-warns-of-malicious-code-in-xz-utils . live .
- Web site: Claburn . Thomas . Malicious backdoor spotted in Linux compression library xz . The Register . 1 April 2024 . en . 1 April 2024 . https://web.archive.org/web/20240401022057/https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ . live .
- Web site: Urgent security alert for Fedora 41 and Fedora Rawhide users . Red Hat . 29 March 2024 . en . 29 March 2024 . https://web.archive.org/web/20240329172128/https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users . live .
- Web site: Watching xz unfold from afar . 31 March 2024 . 6 April 2024 . 6 April 2024 . https://web.archive.org/web/20240406063707/https://connortumbleson.com/2024/03/31/watching-xz-unfold-from-afar/ . live .
- Web site: Timeline summary of the backdoor attack on XZ Utils . 3 April 2024 . 7 April 2024 . 10 April 2024 . https://web.archive.org/web/20240410211550/https://gigazine.net/gsc_news/en/20240403-timeline-of-xz-open-source-attack . live .
- Greenberg . Andy . The Mystery of 'Jia Tan,' the XZ Backdoor Mastermind . Wired . 3 April 2024 . 3 April 2024 . https://web.archive.org/web/20240403141041/https://www.wired.com/story/jia-tan-xz-backdoor/ . live .
- Web site: Claburn . Thomas . Malicious xz backdoor reveals fragility of open source . The Register . 8 April 2024 . 8 April 2024 . https://web.archive.org/web/20240408003643/https://www.theregister.com/2024/04/01/xz_backdoor_open_source/ . live .
- Web site: Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 . CISA . 29 March 2024 . en . 29 March 2024 . 29 March 2024 . https://web.archive.org/web/20240329182032/https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 . live .
- Web site: SUSE addresses supply chain attack against xz compression library . SUSE Communities . SUSE . 29 March 2024 . 29 March 2024 . https://web.archive.org/web/20240329215538/https://www.suse.com/c/suse-addresses-supply-chain-attack-against-xz-compression-library/ . live .
- Salvatore . Bonaccorso . 29 March 2024 . debian-security-announce . en . [SECURITY] [DSA 5649-1] xz-utils security update ]. 29 March 2024 . 29 March 2024 . https://web.archive.org/web/20240329171247/https://lists.debian.org/debian-security-announce/2024/msg00057.html . live .
- Web site: Important information regarding xz-utils (CVE-2024-3094) . 2024-05-31 . about.gitlab.com . 1 April 2024 . https://web.archive.org/web/20240401194824/https://about.gitlab.com/blog/2024/03/30/important-information-regarding-xz-utils-cve-2024-3094/ . live .
- Web site: 2024-04-03 . Noble Numbat Beta delayed (xz/liblzma security update) . 2024-04-10 . Ubuntu Community Hub . en . 10 April 2024 . https://web.archive.org/web/20240410120702/https://discourse.ubuntu.com/t/noble-numbat-beta-delayed-xz-liblzma-security-update/43827 . live .
- Web site: Sneddon . Joey . Ubuntu 24.04 Beta Delayed Due to Security Issue . OMG! Ubuntu . 10 April 2024 . 3 April 2024 . 8 April 2024 . https://web.archive.org/web/20240408084344/https://www.omgubuntu.co.uk/2024/04/ubuntu-24-04-beta-delayed . live .
- News: Roose . Kevin . Did One Guy Just Stop a Huge Cyberattack? . The New York Times . 3 April 2024 . 4 April 2024 . 4 April 2024 . https://web.archive.org/web/20240404000115/https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html . live .
- Web site: Khalid . Amrita . How one volunteer stopped a backdoor from exposing Linux systems worldwide . The Verge . 4 April 2024 . en . 2 April 2024 . 4 April 2024 . https://web.archive.org/web/20240404022427/https://www.theverge.com/2024/4/2/24119342/xz-utils-linux-backdoor-attempt . live .