Malicious Code in XZ Utils for Linux Enables Remote Code Execution

April 2, 2024

A new report has shed light on a significant security threat to Linux systems. The open-source library XZ Utils, which is widely used in numerous Linux distributions, has been infiltrated with malicious code. This code, alarmingly, allows for remote code execution. This supply chain compromise, identified as CVE-2024-3094, was brought to attention last week by Microsoft engineer and PostgreSQL developer Andres Freund, who discovered a backdoor in the data compression utility. This backdoor allows remote attackers to bypass secure shell authentication and gain full access to the compromised system.

The malicious code is believed to have been intentionally introduced by a project maintainer named Jia Tan (also known as Jia Cheong Tan or JiaT75). This appears to be a calculated attack that has been in the works for several years. The identity of the threat actor(s) remains unknown. According to a report by Akamai, the threat actor began contributing to the XZ project nearly two years ago, gradually building credibility until they were entrusted with maintainer responsibilities.

It is suspected that sockpuppet accounts, such as Jigar Kumar and Dennis Ens, were used to send feature requests and report issues with the software. This forced the original maintainer, Lasse Collin of the Tukaani Project, to add a new co-maintainer to the repository. This new co-maintainer, Jia Tan, introduced a series of changes to XZ Utils in 2023, which were included in the release version 5.6.0 in February 2024. These changes contained a sophisticated backdoor.

The backdoor affects XZ Utils 5.6.0 and 5.6.1 release tarballs. Collins has since acknowledged the breach in the project, stating that both tarballs were created and signed by Jia Tan. Firmware security company Binarly described the operation as a 'complex state-sponsored operation with impressive sophistication and multi-year planning'.

An in-depth examination of the backdoor by open-source cryptographer Filippo Valsorda revealed that the affected versions allow specific remote attackers to send arbitrary payloads through an SSH certificate. This effectively allows them to take control of the victim machine. Akamai stated, 'This means that any machine with the vulnerable package that exposes SSH to the internet is potentially vulnerable.'

The discovery of this backdoor is considered one of the most significant supply chain attacks to date. It could have resulted in a severe security disaster if the package had been integrated into stable releases of Linux distributions. JFrog noted the 'extreme levels of dedication of the attacker, working more than two years to establish themselves as a legitimate maintainer'. This incident, like the Apache Log4j case, underscores the risks associated with reliance on open-source software and volunteer-run projects.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.