XZ Utils backdoor

Last updated

XZ Utils backdoor
XZ logo contributed by Jia Tan.png
Previous XZ logo contributed by Jia Tan
CVE identifier(s) CVE- 2024-3094
Date discovered29 March 2024;2 months ago (2024-03-29)
Date patched29 March 2024;2 months ago (2024-03-29) [lower-alpha 1] [1]
DiscovererAndres Freund
Affected software xz / liblzma library
Website tukaani.org/xz-backdoor/

On 29 March 2024, software developer Andres Freund reported that he had found a maliciously introduced backdoor in the Linux utility xz within the liblzma library in versions 5.6.0 and 5.6.1 released by an account using the name "Jia Tan" [lower-alpha 2] in February 2024. [2]

Contents

While xz is commonly present in most Linux distributions, at the time of discovery the backdoored version had not yet been widely deployed to production systems, but was present in development versions of major distributions. [3]

The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution capabilities on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE - 2024-3094 and has been assigned a CVSS score of 10.0, the highest possible score. [4] [5] [6]

Background

Microsoft employee and PostgreSQL developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid. [7] Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind, [8] a memory debugging tool. [9] Freund reported his finding to Openwall Project's open source security mailing list, [8] which brought it to the attention of various software vendors. [9] The attacker made efforts to obfuscate the code, [10] as the backdoor consists of multiple stages that act together. [11]

Once the compromised version is incorporated into the operating system, it alters the behavior of OpenSSH's SSH server daemon by abusing the systemd library, allowing the attacker to gain administrator access. [11] [9] According to the analysis by Red Hat, the backdoor can "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely". [12]

A subsequent investigation found that the campaign to insert the backdoor into the XZ Utils project was a culmination of approximately three years of effort by a user going by the name Jia Tan and the nickname JiaT75 to gain access to a position of trust within the project. After a period of pressure on the founder and head maintainer to hand over the control of the project via apparent sock puppetry Jia Tan gained the position of co-maintainer of XZ Utils and was able to sign off on version 5.6.0, which introduced the backdoor, and version 5.6.1, which patched some anomalous behavior that can be apparent during software testing of the operating system. [9]

Some of the suspected sock puppetry pseudonyms include accounts with usernames like Jigar Kumar, krygorin4545, and misoeater91. It is suspected that the names Jia Tan, as well as the supposed code author Hans Jansen (for versions 5.6.0 and 5.6.1) are pseudonyms chosen by the participants of the campaign. Neither have any sort of visible public presence in software development beyond the short few years of the campaign. [13] [14]

The backdoor was notable for its level of sophistication and for the fact that the perpetrator practiced a high level of operational security for a long period of time while working to attain a position of trust. American security researcher Dave Aitel has suggested that it fits the pattern attributable to APT29, an advanced persistent threat actor believed to be working on behalf of the Russian SVR. [15] Journalist Thomas Claburn suggested that it could be any state actor or a non-state actor with considerable resources. [16]

Mechanism

The malicious code is known to be in 5.6.0 and 5.6.1 releases of the XZ Utils software package. The exploit remains dormant unless a specific third-party patch of the SSH server is used. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely. [12] The malicious mechanism consists of two compressed test files that contain the malicious binary code. These files are available in the git repository, but remain dormant unless extracted and injected into the program. [6] The code uses the glibc IFUNC mechanism to replace an existing function in OpenSSH called RSA_public_decrypt with a malicious version. OpenSSH normally does not load liblzma, but a common third-party patch used by several Linux distributions causes it to load libsystemd, which in turn loads lzma. [6] A modified version of build-to-host.m4 was included in the release tar file uploaded on GitHub, which extracts a script that performs the actual injection into liblzma. This modified m4 file was not present in the git repository; it was only available from tar files released by the maintainer separate from git. [6] The script appears to perform the injection only when the system is being built on an x86-64 Linux system that uses glibc and GCC and is being built via dpkg or rpm. [6]

Response

Remediation

The US federal Cybersecurity and Infrastructure Security Agency has issued a security advisory recommending that the affected devices should roll back to a previous uncompromised version. [17] Linux software vendors, including Red Hat, SUSE, and Debian, have reverted the affected packages to older versions. [12] [18] [19] GitHub disabled the mirrors for the xz repository before subsequently restoring them. [20]

Canonical postponed the beta release of Ubuntu 24.04 LTS and its flavours by a week and opted for a complete binary rebuild of all the distribution's packages. [21] Although the stable version of Ubuntu was unaffected, upstream versions were. This precautionary measure was taken because Canonical could not guarantee by the original release deadline that the discovered backdoor did not affect additional packages during compilation. [22]

Broader response

xkcd no. 2347 Dependency
Searchtool.svg xkcd comic no. 2347 Dependency has been frequently referenced by commentators for capturing the predicament of a single unpaid volunteer maintaining critical, widely depended-upon software. [23] [24]

Computer scientist Alex Stamos opined that "this could have been the most widespread and effective backdoor ever planted in any software product", noting that had the backdoor remained undetected, it would have "given its creators a master key to any of the hundreds of millions of computers around the world that run SSH". [25] In addition, the incident also started a discussion regarding the viability of having critical pieces of cyberinfrastructure depend on unpaid volunteers. [26]

Notes

  1. The vulnerability was effectively patched within hours of discovery by reverting to a previous version known to be safe.
  2. Whether Jia Tan is a group of people, a real name of a single person or a pseudonym of a single person is not known publicly.

Related Research Articles

<span class="mw-page-title-main">Linux distribution</span> Operating system based on the Linux kernel

A Linux distribution is an operating system made from a software collection that includes the Linux kernel and often a package management system. They are often obtained from the website of each distribution, which are available for a wide variety of systems ranging from embedded devices and personal computers to servers and powerful supercomputers.

<span class="mw-page-title-main">GNOME Evolution</span> Personal information manager software and workgroup information management tool for GNOME

GNOME Evolution is the official personal information manager for GNOME. It has been an official part of GNOME since Evolution 2.0 was included with the GNOME 2.8 release in September 2004. It combines e-mail, address book, calendar, task list and note-taking features. Its user interface and functionality is similar to Microsoft Outlook. Evolution is free software licensed under the terms of the GNU Lesser General Public License (LGPL).

Info-ZIP is a set of open-source software to handle ZIP archives. It has been in circulation since 1989. It consists of 4 separately-installable packages: the Zip and UnZip command-line utilities; and WiZ and MacZip, which are graphical user interfaces for archiving programs in Microsoft Windows and classic Mac OS, respectively.

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Webmin</span> Web-based control panel for Unix-like systems

Webmin is a web-based server management control panel for Unix-like systems. Webmin allows the user to configure operating system internals, such as users, disk quotas, services and configuration files, as well as modify and control open-source apps, such as BIND, Apache HTTP Server, PHP, and MySQL.

Technical variations of Linux distributions include support for different hardware devices and systems or software package configurations. Organizational differences may be motivated by historical reasons. Other criteria include security, including how quickly security upgrades are available; ease of package management; and number of packages available.

<span class="mw-page-title-main">Git</span> Distributed version control software system

Git is a distributed version control system that tracks versions of files. It is often used to control source code by programmers collaboratively developing software.

<span class="mw-page-title-main">Openwall Project</span> Software distributor

The Openwall Project is a source for various software, including Openwall GNU/*/Linux (Owl), a security-enhanced Linux distribution designed for servers. Openwall patches and security extensions have been included into many major Linux distributions.

<span class="mw-page-title-main">Banshee (media player)</span> Open source media player

Banshee was a cross-platform open-source media player, called Sonance until 2005. Built upon Mono and Gtk#, it used the GStreamer multimedia platform for encoding, and decoding various media formats, including Ogg Vorbis, MP3 and FLAC. Banshee can play and import audio CDs and supports many portable media players, including Apple's iPod, Android devices and Creative's ZEN players. Other features include Last.fm integration, album artwork fetching, smart playlists and podcast support. Banshee is released under the terms of the MIT License. Stable versions are available for many Linux distributions, as well as a beta preview for OS X and an alpha preview for Windows.

<span class="mw-page-title-main">AppArmor</span> Linux kernel security module

AppArmor is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It has been partially included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.

<span class="mw-page-title-main">Fail2ban</span> Intrusion prevention software framework

Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.

<span class="mw-page-title-main">Polkit</span> Component of UNIX systems

Polkit is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit allows a level of control of centralized system policy. It is developed and maintained by David Zeuthen from Red Hat and hosted by the freedesktop.org project. It is published as free software under the terms of version 2 of the GNU Lesser General Public License.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

XZ Utils is a set of free software command-line lossless data compressors, including the programs lzma and xz, for Unix-like operating systems and, from version 5.0 onwards, Microsoft Windows. For compression/decompression the Lempel–Ziv–Markov chain algorithm (LZMA) is used. XZ Utils started as a Unix port of Igor Pavlov's LZMA-SDK that has been adapted to fit seamlessly into Unix environments and their usual structure and behavior.

<span class="mw-page-title-main">OpenSSH</span> Set of computer programs providing encrypted communication sessions

OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.

Ansible is a suite of software tools that enables infrastructure as code. It is open-source and the suite includes software provisioning, configuration management, and application deployment functionality.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

<span class="mw-page-title-main">Windows Subsystem for Linux</span> Compatibility layer for running Linux binary executables natively on Windows

Windows Subsystem for Linux (WSL) is a feature of Microsoft Windows that allows developers to run a Linux environment without the need for a separate virtual machine or dual booting. There are two versions of WSL: WSL 1 and WSL 2. WSL is not available to all Windows 10 users by default. It can be installed either by joining the Windows Insider program or manually via Microsoft Store or Winget.

<span class="mw-page-title-main">Dirty COW</span> Computer security vulnerability

Dirty COW is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

References

  1. Collin, Lasse. "Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094)". GitHub. Retrieved 19 June 2024.
  2. Corbet, Jonathan. "A backdoor in xz". LWN. Archived from the original on 1 April 2024. Retrieved 2 April 2024.
  3. "CVE-2024-3094". National Vulnerability Database . NIST. Archived from the original on 2 April 2024. Retrieved 2 April 2024.
  4. Gatlan, Sergiu. "Red Hat warns of backdoor in XZ tools used by most Linux distros". BleepingComputer. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  5. Akamai Security Intelligence Group (1 April 2024). "XZ Utils Backdoor – Everything You Need to Know, and What You Can Do". Archived from the original on 2 April 2024. Retrieved 2 April 2024.
  6. 1 2 3 4 5 James, Sam. "xz-utils backdoor situation (CVE-2024-3094)". GitHub. Archived from the original on 2 April 2024. Retrieved 2 April 2024.
  7. Zorz, Zeljka (29 March 2024). "Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094)". Help Net Security. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  8. 1 2 "oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise". www.openwall.com. Archived from the original on 1 April 2024. Retrieved 3 April 2024.
  9. 1 2 3 4 Goodin, Dan (1 April 2024). "What we know about the xz Utils backdoor that almost infected the world". Ars Technica. Archived from the original on 1 April 2024. Retrieved 1 April 2024.
  10. O'Donnell-Welch, Lindsey (29 March 2024). "Red Hat, CISA Warn of XZ Utils Backdoor". Decipher. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  11. 1 2 Claburn, Thomas. "Malicious backdoor spotted in Linux compression library xz". The Register. Archived from the original on 1 April 2024. Retrieved 1 April 2024.
  12. 1 2 3 "Urgent security alert for Fedora 41 and Fedora Rawhide users". Red Hat. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  13. "Watching xz unfold from afar". 31 March 2024. Archived from the original on 6 April 2024. Retrieved 6 April 2024.
  14. "Timeline summary of the backdoor attack on XZ Utils". 3 April 2024. Archived from the original on 10 April 2024. Retrieved 7 April 2024.
  15. Greenberg, Andy. "The Mystery of 'Jia Tan,' the XZ Backdoor Mastermind". Wired. Archived from the original on 3 April 2024. Retrieved 3 April 2024.
  16. Claburn, Thomas. "Malicious xz backdoor reveals fragility of open source". The Register. Archived from the original on 8 April 2024. Retrieved 8 April 2024.
  17. "Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094". CISA. 29 March 2024. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  18. "SUSE addresses supply chain attack against xz compression library". SUSE Communities. SUSE. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  19. Salvatore, Bonaccorso (29 March 2024). "[SECURITY][DSA 5649-1] xz-utils security update". debian-security-announce (Mailing list). Archived from the original on 29 March 2024. Retrieved 29 March 2024.
  20. "Important information regarding xz-utils (CVE-2024-3094)". about.gitlab.com. Archived from the original on 1 April 2024. Retrieved 31 May 2024.
  21. "Noble Numbat Beta delayed (xz/liblzma security update)". Ubuntu Community Hub. 3 April 2024. Archived from the original on 10 April 2024. Retrieved 10 April 2024.
  22. Sneddon, Joey (3 April 2024). "Ubuntu 24.04 Beta Delayed Due to Security Issue". OMG! Ubuntu. Archived from the original on 8 April 2024. Retrieved 10 April 2024.
  23. Masnick, Mike (8 April 2024). "The Story Behind The XZ Backdoor Is Way More Fascinating Than It Should Be". Techdirt. Archived from the original on 10 April 2024. Retrieved 12 April 2024.
  24. Colomé, Jordi Pérez (10 April 2024). "How half-a-second of suspicious activity led an engineer to prevent a massive cyberattack". EL PAÍS English. Archived from the original on 12 April 2024. Retrieved 12 April 2024.
  25. Roose, Kevin (3 April 2024). "Did One Guy Just Stop a Huge Cyberattack?". The New York Times. Archived from the original on 4 April 2024. Retrieved 4 April 2024.
  26. Khalid, Amrita (2 April 2024). "How one volunteer stopped a backdoor from exposing Linux systems worldwide". The Verge. Archived from the original on 4 April 2024. Retrieved 4 April 2024.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.