fbpx
Wikipedia

XZ Utils backdoor

April 14, 2024

On 29 March 2024, software developer Andres Freund reported that he had found a maliciously introduced backdoor in the Linux utility xz within the liblzma library in versions 5.6.0 and 5.6.1 released in February 2024.[1]

XZ Utils backdoor
Previous XZ logo contributed by Jia Tan
CVE identifier(s)CVE-2024-3094
Date discovered29 March 2024; 15 days ago (2024-03-29)
Date patched29 March 2024; 15 days ago (2024-03-29) [a]
DiscovererAndres Freund
Affected softwarexz / liblzma library
Websitetukaani.org/xz-backdoor/

While xz is commonly present in most Linux distributions, at the time of discovery the backdoored version had not yet been widely deployed to production systems, but was present in development versions of major distributions.[2]

The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution capabilities on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE-2024-3094 and has been assigned a CVSS score of 10.0, the highest possible score.[3][4][5]

Background edit

Microsoft employee and PostgreSQL developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid.[6] Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind,[7] a memory debugging tool.[8] Freund reported his finding to Openwall Project's open source security mailing list,[9] which brought it to the attention of various software vendors.[8] The attacker made efforts to obfuscate the code,[10][11] as the backdoor consists of multiple stages that act together.[12]

Once the compromised version is incorporated into the operating system, it alters the behavior of OpenSSH's SSH server daemon by abusing the systemd library, allowing the attacker to gain administrator access.[12][8] According to the analysis by Red Hat, the backdoor can "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".[13]

A subsequent investigation found that the campaign to insert the backdoor into the XZ Utils project was a culmination of approximately three years of effort by a user going by the name Jia Tan and the nickname JiaT75 to gain access to a position of trust within the project. After a period of pressure on the founder and head maintainer to hand over the control of the project via apparent sock puppetry Jia Tan gained the position of co-maintainer of XZ Utils and was able to sign off on version 5.6.0, which introduced the backdoor, and version 5.6.1, which patched some anomalous behavior that can be apparent during software testing of the operating system.[8] Some of the suspected sock puppetry pseudonyms are Jigar Kumar, krygorin4545, and misoeater91. It is suspected that the names Jia Tan, as well as the supposed code author Hans Jansen (for versions 5.6.0 and 5.6.1) are simply names invented by participants of the campaign. Neither have any sort of visible public presence in software development beyond the short few years of the campaign.[14][15] The backdoor was notable for its level of sophistication and for the fact that the perpetrator practiced a high level of operational security for a long period of time while working to attain a position of trust. American security researcher Dave Aitel has suggested that it fits the pattern attributable to APT29, an advanced persistent threat actor believed to be working on behalf of the Russian SVR.[16] Thomas Claburn suggested that it could be any state actor or a non-state actor with considerable resources.[17]

Mechanism edit

The malicious code is known to be in 5.6.0 and 5.6.1 releases of the XZ Utils software package. The exploit remains dormant unless a specific third-party patch of the SSH server is used. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.[13] The malicious mechanism consists of two compressed test files that contain the malicious binary code. These files are available in the git repository, but remain dormant unless extracted and injected into the program.[5] The code uses the glibc IFUNC mechanism to replace an existing function in OpenSSH called RSA_public_decrypt with a malicious version. OpenSSH normally does not load liblzma, but a common third-party patch used by several Linux distributions causes it to load libsystemd, which in turn loads lzma.[5] A modified version of build-to-host.m4 was included in the release tar file uploaded on GitHub, which extracts a script that performs the actual injection into liblzma. This modified m4 file was not present in the git repository; it was only available from tar files released by the maintainer separate from git.[5] The script appears to perform the injection only when the system is being built on an x86-64 Linux system that uses glibc and GCC and is being built via dpkg or rpm.[5]

Response edit

Remediation edit

The US federal agency responsible for cyber security and infrastructure, the Cybersecurity and Infrastructure Security Agency, has issued a security advisory recommending that the affected devices should roll back to a previous uncompromised version.[18] Linux software vendors, including Red Hat, SUSE, and Debian, have mirrored the CISA advisory, and reverted the updates for the affected packages to older versions.[13][19][20] GitHub disabled the mirrors for the xz repository before subsequently restoring them.[21][22]

Canonical postponed the beta release of Ubuntu 24.04 LTS and its flavours by a week and opted for a complete binary rebuild of all the distribution's packages.[23] Although the stable version of Ubuntu was unaffected, upstream versions were. This precautionary measure was taken because Canonical could not guarantee by the original release deadline that the discovered backdoor did not affect additional packages during compilation.[24][25]

Broader response edit

xkcd no. 2347 Dependency
 
  xkcd comic no. 2347 Dependency has been frequently referenced by commentators for capturing the predicament of a single unpaid volunteer maintaining a critical, widely depended upon software.[26][27]

Computer scientist Alex Stamos opined that "this could have been the most widespread and effective backdoor ever planted in any software product", noting that had the backdoor remained undetected, it would have "given its creators a master key to any of the hundreds of millions of computers around the world that run SSH".[28] In addition, the incident also started a discussion regarding the viability of having critical pieces of cyberinfrastructure depend on unpaid volunteers.[29]

References edit

  1. ^ Corbet, Jonathan. "A backdoor in xz". LWN. from the original on 1 April 2024. Retrieved 2 April 2024.
  2. ^ "CVE-2024-3094". National Vulnerability Database. NIST. from the original on 2 April 2024. Retrieved 2 April 2024.
  3. ^ Gatlan, Sergiu. "Red Hat warns of backdoor in XZ tools used by most Linux distros". BleepingComputer. from the original on 29 March 2024. Retrieved 29 March 2024.
  4. ^ Akamai Security Intelligence Group (1 April 2024). "XZ Utils Backdoor – Everything You Need to Know, and What You Can Do". from the original on 2 April 2024. Retrieved 2 April 2024.
  5. ^ a b c d e James, Sam. "xz-utils backdoor situation (CVE-2024-3094)". GitHub. from the original on 2 April 2024. Retrieved 2 April 2024.
  6. ^ Zorz, Zeljka (29 March 2024). "Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094)". Help Net Security. from the original on 29 March 2024. Retrieved 29 March 2024.
  7. ^ "oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise". www.openwall.com. from the original on 1 April 2024. Retrieved 8 April 2024.
  8. ^ a b c d Goodin, Dan (1 April 2024). "What we know about the xz Utils backdoor that almost infected the world". Ars Technica. from the original on 1 April 2024. Retrieved 1 April 2024.
  9. ^ "oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise". www.openwall.com. from the original on 1 April 2024. Retrieved 3 April 2024.
  10. ^ Larabel, Michael. "XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access". Phoronix. from the original on 29 March 2024. Retrieved 29 March 2024.
  11. ^ O'Donnell-Welch, Lindsey (29 March 2024). "Red Hat, CISA Warn of XZ Utils Backdoor". Decipher. from the original on 29 March 2024. Retrieved 29 March 2024.
  12. ^ a b Claburn, Thomas. "Malicious backdoor spotted in Linux compression library xz". The Register. from the original on 1 April 2024. Retrieved 1 April 2024.
  13. ^ a b c "Urgent security alert for Fedora 41 and Fedora Rawhide users". Red Hat. from the original on 29 March 2024. Retrieved 29 March 2024.
  14. ^ "Watching xz unfold from afar". 31 March 2024. from the original on 6 April 2024. Retrieved 6 April 2024.
  15. ^ "Timeline summary of the backdoor attack on XZ Utils". 3 April 2024. from the original on 10 April 2024. Retrieved 7 April 2024.
  16. ^ Greenberg, Andy. "The Mystery of 'Jia Tan,' the XZ Backdoor Mastermind". Wired. from the original on 3 April 2024. Retrieved 3 April 2024.
  17. ^ Claburn, Thomas. "Malicious xz backdoor reveals fragility of open source". The Register. from the original on 8 April 2024. Retrieved 8 April 2024.
  18. ^ "Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094". CISA. 29 March 2024. from the original on 29 March 2024. Retrieved 29 March 2024.
  19. ^ "SUSE addresses supply chain attack against xz compression library". SUSE Communities. SUSE. from the original on 29 March 2024. Retrieved 29 March 2024.
  20. ^ Salvatore, Bonaccorso (29 March 2024). "[SECURITY] [DSA 5649-1] xz-utils security update". debian-security-announce (Mailing list). from the original on 29 March 2024. Retrieved 29 March 2024.
  21. ^ Larabel, Michael (29 March 2024). "GitHub Disables The XZ Repository Following Today's Malicious Disclosure". Phoronix. from the original on 31 March 2024. Retrieved 31 March 2024.
  22. ^ "The Git repositories of XZ projects are available on GitHub again | Hacker News". news.ycombinator.com. from the original on 10 April 2024. Retrieved 10 April 2024.
  23. ^ "Noble Numbat Beta delayed (xz/liblzma security update)". Ubuntu Community Hub. 3 April 2024. from the original on 10 April 2024. Retrieved 10 April 2024.
  24. ^ Larabel, Michael. "Ubuntu 24.04 Beta Delayed Due To XZ Nightmare". www.phoronix.com. from the original on 10 April 2024. Retrieved 10 April 2024.
  25. ^ Sneddon, Joey (3 April 2024). "Ubuntu 24.04 Beta Delayed Due to Security Issue". OMG! Ubuntu. from the original on 8 April 2024. Retrieved 10 April 2024.
  26. ^ Masnick, Mike (8 April 2024). "The Story Behind The XZ Backdoor Is Way More Fascinating Than It Should Be". Techdirt. Retrieved 12 April 2024.
  27. ^ Colomé, Jordi Pérez (10 April 2024). "How half-a-second of suspicious activity led an engineer to prevent a massive cyberattack". EL PAÍS English. Retrieved 12 April 2024.
  28. ^ Roose, Kevin. "Did One Guy Just Stop a Huge Cyberattack?". The New York Times. from the original on 4 April 2024. Retrieved 4 April 2024.
  29. ^ Khalid, Amrita (2 April 2024). "How one volunteer stopped a backdoor from exposing Linux systems worldwide". The Verge. from the original on 4 April 2024. Retrieved 4 April 2024.

Notes edit

  1. ^ The vulnerability was effectively patched within hours of discovery by reverting to a previous version known to be safe.

External links edit

  • Official website
  • Andres Freund's report to the Openwall oss-security mailing list

April 14, 2024
utils, backdoor, march, 2024, software, developer, andres, freund, reported, that, found, maliciously, introduced, backdoor, linux, utility, within, liblzma, library, versions, released, february, 2024, previous, logo, contributed, tancve, identifier, 2024, 30. On 29 March 2024 software developer Andres Freund reported that he had found a maliciously introduced backdoor in the Linux utility xz within the liblzma library in versions 5 6 0 and 5 6 1 released in February 2024 1 XZ Utils backdoorPrevious XZ logo contributed by Jia TanCVE identifier s CVE 2024 3094Date discovered29 March 2024 15 days ago 2024 03 29 Date patched29 March 2024 15 days ago 2024 03 29 a DiscovererAndres FreundAffected softwarexz liblzma libraryWebsitetukaani wbr org wbr xz backdoor wbr While xz is commonly present in most Linux distributions at the time of discovery the backdoored version had not yet been widely deployed to production systems but was present in development versions of major distributions 2 The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution capabilities on the affected Linux system The issue has been given the Common Vulnerabilities and Exposures number CVE 2024 3094 and has been assigned a CVSS score of 10 0 the highest possible score 3 4 5 Contents 1 Background 2 Mechanism 3 Response 3 1 Remediation 3 2 Broader response 4 References 5 Notes 6 External linksBackground editMicrosoft employee and PostgreSQL developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid 6 Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind 7 a memory debugging tool 8 Freund reported his finding to Openwall Project s open source security mailing list 9 which brought it to the attention of various software vendors 8 The attacker made efforts to obfuscate the code 10 11 as the backdoor consists of multiple stages that act together 12 Once the compromised version is incorporated into the operating system it alters the behavior of OpenSSH s SSH server daemon by abusing the systemd library allowing the attacker to gain administrator access 12 8 According to the analysis by Red Hat the backdoor can enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely 13 A subsequent investigation found that the campaign to insert the backdoor into the XZ Utils project was a culmination of approximately three years of effort by a user going by the name Jia Tan and the nickname JiaT75 to gain access to a position of trust within the project After a period of pressure on the founder and head maintainer to hand over the control of the project via apparent sock puppetry Jia Tan gained the position of co maintainer of XZ Utils and was able to sign off on version 5 6 0 which introduced the backdoor and version 5 6 1 which patched some anomalous behavior that can be apparent during software testing of the operating system 8 Some of the suspected sock puppetry pseudonyms are Jigar Kumar krygorin4545 and misoeater91 It is suspected that the names Jia Tan as well as the supposed code author Hans Jansen for versions 5 6 0 and 5 6 1 are simply names invented by participants of the campaign Neither have any sort of visible public presence in software development beyond the short few years of the campaign 14 15 The backdoor was notable for its level of sophistication and for the fact that the perpetrator practiced a high level of operational security for a long period of time while working to attain a position of trust American security researcher Dave Aitel has suggested that it fits the pattern attributable to APT29 an advanced persistent threat actor believed to be working on behalf of the Russian SVR 16 Thomas Claburn suggested that it could be any state actor or a non state actor with considerable resources 17 Mechanism editThe malicious code is known to be in 5 6 0 and 5 6 1 releases of the XZ Utils software package The exploit remains dormant unless a specific third party patch of the SSH server is used Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely 13 The malicious mechanism consists of two compressed test files that contain the malicious binary code These files are available in the git repository but remain dormant unless extracted and injected into the program 5 The code uses the glibc IFUNC mechanism to replace an existing function in OpenSSH called RSA public decrypt with a malicious version OpenSSH normally does not load liblzma but a common third party patch used by several Linux distributions causes it to load libsystemd which in turn loads lzma 5 A modified version of build to host m4 was included in the release tar file uploaded on GitHub which extracts a script that performs the actual injection into liblzma This modified m4 file was not present in the git repository it was only available from tar files released by the maintainer separate from git 5 The script appears to perform the injection only when the system is being built on an x86 64 Linux system that uses glibc and GCC and is being built via dpkg or rpm 5 Response editRemediation edit The US federal agency responsible for cyber security and infrastructure the Cybersecurity and Infrastructure Security Agency has issued a security advisory recommending that the affected devices should roll back to a previous uncompromised version 18 Linux software vendors including Red Hat SUSE and Debian have mirrored the CISA advisory and reverted the updates for the affected packages to older versions 13 19 20 GitHub disabled the mirrors for the xz repository before subsequently restoring them 21 22 Canonical postponed the beta release of Ubuntu 24 04 LTS and its flavours by a week and opted for a complete binary rebuild of all the distribution s packages 23 Although the stable version of Ubuntu was unaffected upstream versions were This precautionary measure was taken because Canonical could not guarantee by the original release deadline that the discovered backdoor did not affect additional packages during compilation 24 25 Broader response edit xkcd no 2347 Dependency nbsp nbsp xkcd comic no 2347 Dependency has been frequently referenced by commentators for capturing the predicament of a single unpaid volunteer maintaining a critical widely depended upon software 26 27 Computer scientist Alex Stamos opined that this could have been the most widespread and effective backdoor ever planted in any software product noting that had the backdoor remained undetected it would have given its creators a master key to any of the hundreds of millions of computers around the world that run SSH 28 In addition the incident also started a discussion regarding the viability of having critical pieces of cyberinfrastructure depend on unpaid volunteers 29 References edit Corbet Jonathan A backdoor in xz LWN Archived from the original on 1 April 2024 Retrieved 2 April 2024 CVE 2024 3094 National Vulnerability Database NIST Archived from the original on 2 April 2024 Retrieved 2 April 2024 Gatlan Sergiu Red Hat warns of backdoor in XZ tools used by most Linux distros BleepingComputer Archived from the original on 29 March 2024 Retrieved 29 March 2024 Akamai Security Intelligence Group 1 April 2024 XZ Utils Backdoor Everything You Need to Know and What You Can Do Archived from the original on 2 April 2024 Retrieved 2 April 2024 a b c d e James Sam xz utils backdoor situation CVE 2024 3094 GitHub Archived from the original on 2 April 2024 Retrieved 2 April 2024 Zorz Zeljka 29 March 2024 Beware Backdoor found in XZ utilities used by many Linux distros CVE 2024 3094 Help Net Security Archived from the original on 29 March 2024 Retrieved 29 March 2024 oss security backdoor in upstream xz liblzma leading to ssh server compromise www openwall com Archived from the original on 1 April 2024 Retrieved 8 April 2024 a b c d Goodin Dan 1 April 2024 What we know about the xz Utils backdoor that almost infected the world Ars Technica Archived from the original on 1 April 2024 Retrieved 1 April 2024 oss security backdoor in upstream xz liblzma leading to ssh server compromise www openwall com Archived from the original on 1 April 2024 Retrieved 3 April 2024 Larabel Michael XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access Phoronix Archived from the original on 29 March 2024 Retrieved 29 March 2024 O Donnell Welch Lindsey 29 March 2024 Red Hat CISA Warn of XZ Utils Backdoor Decipher Archived from the original on 29 March 2024 Retrieved 29 March 2024 a b Claburn Thomas Malicious backdoor spotted in Linux compression library xz The Register Archived from the original on 1 April 2024 Retrieved 1 April 2024 a b c Urgent security alert for Fedora 41 and Fedora Rawhide users Red Hat Archived from the original on 29 March 2024 Retrieved 29 March 2024 Watching xz unfold from afar 31 March 2024 Archived from the original on 6 April 2024 Retrieved 6 April 2024 Timeline summary of the backdoor attack on XZ Utils 3 April 2024 Archived from the original on 10 April 2024 Retrieved 7 April 2024 Greenberg Andy The Mystery of Jia Tan the XZ Backdoor Mastermind Wired Archived from the original on 3 April 2024 Retrieved 3 April 2024 Claburn Thomas Malicious xz backdoor reveals fragility of open source The Register Archived from the original on 8 April 2024 Retrieved 8 April 2024 Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library CVE 2024 3094 CISA 29 March 2024 Archived from the original on 29 March 2024 Retrieved 29 March 2024 SUSE addresses supply chain attack against xz compression library SUSE Communities SUSE Archived from the original on 29 March 2024 Retrieved 29 March 2024 Salvatore Bonaccorso 29 March 2024 SECURITY DSA 5649 1 xz utils security update debian security announce Mailing list Archived from the original on 29 March 2024 Retrieved 29 March 2024 Larabel Michael 29 March 2024 GitHub Disables The XZ Repository Following Today s Malicious Disclosure Phoronix Archived from the original on 31 March 2024 Retrieved 31 March 2024 The Git repositories of XZ projects are available on GitHub again Hacker News news ycombinator com Archived from the original on 10 April 2024 Retrieved 10 April 2024 Noble Numbat Beta delayed xz liblzma security update Ubuntu Community Hub 3 April 2024 Archived from the original on 10 April 2024 Retrieved 10 April 2024 Larabel Michael Ubuntu 24 04 Beta Delayed Due To XZ Nightmare www phoronix com Archived from the original on 10 April 2024 Retrieved 10 April 2024 Sneddon Joey 3 April 2024 Ubuntu 24 04 Beta Delayed Due to Security Issue OMG Ubuntu Archived from the original on 8 April 2024 Retrieved 10 April 2024 Masnick Mike 8 April 2024 The Story Behind The XZ Backdoor Is Way More Fascinating Than It Should Be Techdirt Retrieved 12 April 2024 Colome Jordi Perez 10 April 2024 How half a second of suspicious activity led an engineer to prevent a massive cyberattack EL PAIS English Retrieved 12 April 2024 Roose Kevin Did One Guy Just Stop a Huge Cyberattack The New York Times Archived from the original on 4 April 2024 Retrieved 4 April 2024 Khalid Amrita 2 April 2024 How one volunteer stopped a backdoor from exposing Linux systems worldwide The Verge Archived from the original on 4 April 2024 Retrieved 4 April 2024 Notes edit The vulnerability was effectively patched within hours of discovery by reverting to a previous version known to be safe External links editOfficial website Andres Freund s report to the Openwall oss security mailing listPortal nbsp Internet Retrieved from https en wikipedia org w index php title XZ Utils backdoor amp oldid 1218751106, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.