Major Linux distributions have been impacted by a supply chain attack involving backdoored versions of the XZ Utils data compression library.
Microsoft software engineer Andres Freund, who discovered the backdoor, explains that the malicious code was introduced in the tarball download package in XZ Utils version 5.6.0 released in February 2024.
Version 5.6.1 was released shortly after with updated malicious code that included additional obfuscation and fixes for errors occurring in some configurations.
The code was designed to execute at the end of a script and modify the liblzma library, which is part of the XZ Utils package, to provide unauthenticated access to the system. Red Hat tracks the issue as CVE-2024-3094, with a CVSS score of 10/10.
“Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library,” Red Hat explains.
The backdoor interferes with authentication in sshd via systemd, tapping into the service that allows remote access to systems over the SSH protocol, potentially allowing attackers to break sshd authentication and gain access to the system.
“As attackers continue to evolve and vulnerabilities by design are becoming more of a norm, the CVE-2024-3094-xz supply chain attack only raises more red flags to ensure the perimeter is secured,” Dor Dali, Head of Security Research at Cyolo, told SecurityWeek.
“The vulnerability exposed a critical security risk, that ultimately grants attackers the ability to circumvent authentication protocols and access entire systems remotely,” Dali said. “The malicious code found shows how critical it is for organizations to follow best practices, including avoiding the exposure of SSH directly to the internet and implementing additional security measures.”
To date, the Linux distributions to have confirmed impact from the attack include Fedora Rawhide and Fedora Linux 40 beta (but not Red Hat Enterprise Linux), openSUSE Tumbleweed and openSUSE MicroOS, Kali Linux, and Arch Linux.
Debian and Ubuntu announced that no stable release included the backdoored packages, and Amazon Linux, Alpine Linux, Gentoo Linux, and Linux Mint are not affected.
Software supply chain company Binarly has released a free backdoor detector called XZ.fail that includes generic IFUNC implantation detection with close to zero false-positives. Binarly’s detection is based on behavioral analysis and can detect any invariants automatically if a similar backdoor is implanted somewhere else.
In addition, other security researchers have released a script that allows users to scan their systems to determine if they are using the malicious library.
A command line tool for compressing/decompressing .xz files, XZ Utils is used not only in various Linux distributions, but also as a dependency for other libraries, and this supply chain attack has wide implications.
“OpenSSH runs on almost 20 million IPs as of today, and is almost 10 times more prevalent than RDP (Remote Desktop Protocol). Had somebody successfully introduced a widely deployed backdoor, it would have been bad later,” security researcher Kevin Beaumont notes.
To hide itself, the backdoor uses a multi-stage loader, as well as a function that allows for updates to be deployed via additional files, so that the original XZ code changes remain intact.
The backdoor was introduced by Jia Tan, who became XZ Utils’ maintainer last year. His GitHub account, JiaT75, had contributed to other compression-related libraries as well.
After reducing the security protections on the project in late 2023 and updating the URL for the project to GitHub pages, Jia Tan modified the library to include the malicious code in early 2024. The threat actor also made a request to become a Linux kernel module maintainer for XZ Embedded.
According to Lasse Collin, the project’s original author, however, Jia Tan only had access to the GitHub repository, but not to the project’s website, Git repositories, and related files. GitHub has suspended both Collin’s and Tan’s accounts.
“It’s important to note that the attackers didn’t need to commit the malicious code to the public repository. Modifying the release tarball hosted on GitHub and used by Linux distros to build packages would have been sufficient. Committing the code was likely done to make the tarball changes appear less suspicious,” Coinspect CEO and founder Juliano Rizzo notes.
Because the malicious code was included in XZ Utils versions 5.6.0 and 5.6.1, reverting the affected packages to use the 5.4.x versions of the library eliminates the backdoor. XZ Utils 5.4.6 is the latest stable, uncompromised iteration.
The US cybersecurity agency CISA advised developers and users to downgrade XZ Utils to a clean version and to check their systems for any malicious activity.
Related: Watch: Supply Chain and Third Party Risk Summit 2024
Related: Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App
Related: Researchers Flag ‘Significant Escalation’ in Software Supply Chain Attacks
