Andres Freund discovered a backdoor in the liblzma library, part of the XZ data compression tool. The maintainer noticed a half-second delay in the updated version, leading to the flaw’s discovery. The sophisticated supply chain attack appears to be the work of one of the new XZ maintainers.
XZ Backdoor Compromises Numerous Linux Systems
The narrative surrounding the XZ data compression tool’s backdoor is remarkable, unfolding with intriguing developments on both ends, potentially worthy of future screen adaptation. Jia Tan, operating under a pseudonym, began his journey toward project administrator status in 2021.
Like many tech-savvy users of open-source projects, he contributed fixes for bugs and proposed new features. Reportedly, by submitting a significant number of bug reports, Tan prompted the project manager to seek assistance, ultimately positioning himself as the prime candidate for the role at that time.
A lengthy process concealed a deeply hidden backdoor (CVE-2024-3094), absent from the public GitHub repository but present in versions distributed to major Linux distributions. Disguised as test files, the backdoor’s implementation occurred gradually to evade detection, resembling routine development practices—an elaborate covert operation, indeed.
The flaw permits unauthenticated SSH access with just the infected XZ package and SSH usage, endangering numerous servers commonly connected by system administrators. Linux servers store vast amounts of data, making this backdoor access a severe threat. During the investigation, more details emerged about the operation.
After Jia pushed the malicious fixes, numerous XZ update requests appeared in various Linux distribution feedback hubs, possibly posted by Jia Tan or associates. Some distributions complied, installing the malware into their products.
Andres Freund, the developer, stumbled upon the backdoor in a stroke of luck. He noticed a 500ms delay in SSH authentication and increased CPU usage, prompting him to investigate further. His search led him to the updated XZ version, revealing the hidden backdoor within it.
Its notification of the malicious changes was released on March 29, 2024. The duration of these changes being active remains unclear, but Linux distributions had incorporated them into release versions since early March.
| Kali | All the versions after March 26 |
| Arch | All the versions after 2024.03.01/VM images 20240301.218094 and later |
| Alpine | 5.6 versions before the 5.6.1-r2 update |
| Debian | Only unstable versions, starting from 5.5.1-alpha-01 to 5.6.1 |
| OpenSUSE | All Tumbleweed and Micro OS versions released between March 7 and March 28, 2024 |
| Red Hat | Fedora Linux Rawhide/Fedora Linux 40 |
Mitigation
Users should revert to versions devoid of malicious code or upgrade to versions where it has been removed. Simultaneously, ongoing investigations are vital, given the potential for more severe consequences stemming from this supply chain attack.
Leave A Comment