Intricate Supply Chain Attack Implants Backdoor in XZ Utils

April 1, 2024

A newly discovered backdoor in XZ Utils, a data compression utility found in nearly all Linux distributions, has renewed concerns about software-supply chain security. This backdoor, embedded in a library called liblzma, allows remote attackers to bypass secure shell authentication, thereby gaining full control over an affected system. The malware was found in XZ Utils 5.6.0 and 5.6.1, which are currently used only in unstable and beta releases of Fedora, Debian, Kali, open SUSE, and Arch Linux. This limits the potential threat of the backdoor for now. However, the fact that someone managed to sneak a nearly undetectable backdoor into a trusted, widely used open source component has highlighted the vulnerability of organizations to supply chain attacks.

The attacker, who had maintainer-level access to the code, appears to have carefully executed the attack over several years. According to JFrog researchers, the attacker built up a credible reputation as an open source software developer over multiple years and used highly obfuscated code to evade detection by code reviews. This supply chain attack was a shock to the open source software community, as XZ Utils was considered a trusted and scrutinized project.

The backdoor was discovered by Microsoft developer Andres Freund while investigating unusual behavior around liblzma on some Debian installations. Upon further investigation, Freund found that the issue actually affected the upstream XZ repository and associated archive files, leading to a public disclosure of the threat on March 29.

Following the disclosure, security teams associated with Fedora, Debian, openSUSE, Kali, and Arch issued urgent advisories, alerting organizations running the affected Linux releases to immediately revert to earlier, more stable releases of their software to mitigate the potential risk of remote-code execution. Red Hat, the main sponsor and contributor to Fedora, assigned the backdoor a vulnerability identifier (CVE-2024-3094) and rated it as a maximum severity risk to draw attention to the threat. The US Cybersecurity and Infrastructure Security Agency (CISA) also urged organizations using affected Linux distributions to downgrade their XZ Utils to an earlier version and to report any potential activity related to the backdoor.

The backdoor is particularly concerning because it was embedded in the package by someone using an account belonging to a maintainer of XZ Util in what appears to have been a carefully planned multiyear operation. Security researcher Evan Boehs traced the malicious activity back to 2021 when an individual named Jia Tan created a GitHub account and started making suspicious changes to some open source projects. Boehs suggests that all evidence points to social manipulation by a person with the sole end goal of inserting a backdoor.

The incident with XZ Util is a reminder that similar attacks can happen elsewhere. As Saumitra Das, vice president of engineering at Qualys, points out, many critical libraries in open source are being maintained by volunteers in the community who are not paid for it and can be under pressure due to their personal issues. Maintainers who are under pressure often welcome contributors who are willing to spend even a little bit of time on their projects. Over time, such individuals can gain more control over the code, as was the case with XZ Utils.

Latest News

• TeamCity Patches 26 Security Flaws, Implements Semi-Automatic Updates
• Google Patches Chrome Zero-Days Exposed at Pwn2Own 2024
• CISA Reports Exploitation of Second SharePoint Flaw Revealed at Pwn2Own
• Apple Releases Details on Security Bug Allowing Remote Code Execution
• German Cybersecurity Authority Raises Alarm Over 17K Vulnerable Microsoft Exchange Servers