The news that XZ Utils, a compression utility present in most Linux distributions, has been backdoored by a supposedly trusted maintainer has rattled the open-source software community on Friday, mere hours until the beginning of a long weekend for many.
Nearly two days have passed since then. What do we currently know about the entire affair?
The discovery
The backdoor was discovered by Andres Freund, a software engineer at Microsoft, when testing some things on Debian sid (i.e., development) installations and wanting to find out why the SSH logins were using a lot of CPU power and why errors were popping up.
The problem, he found, was in the liblzma data compression library, which is part of the XZ package, and he concluded that “the upstream xz repository and the xz tarballs have been backdoored.”
While noting that he’s not a security researcher nor a reverse engineer, he managed to glean quite a few things during his testing and, more importantly, he reported the issue to Debian and other Linux distros.
The public revelation, followed by Red Hat’s confirmation that some versions of Fedora Linux contain the backdoored versions of XZ libraries, were just the beginning of an avalanche of information and speculation getting published in the following days.
Which Linux distributions have been affected by the backdoored XZ packages?
Before we begin talking about the backdoor: Should you worry that your machine may be compromised?
Red Hat has confirmed that Fedora Rawhide (the current development version of Fedora Linux) and Fedora Linux 40 beta contained affected versions (5.6.0, 5.6.1) of the xz libraries, and that no versions of Red Hat Enterprise Linux (RHEL) are affected.
OpenSUSE maintainers say that openSUSE Tumbleweed and openSUSE MicroOS included an affected xz version between March 7th and March 28th, and have provided advice on what users of those should do. “It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap.”
Debian maintainers announced that “no Debian stable versions are known to be affected”, but that compromised packages were part of the Debian testing, unstable and experimental distributions, and users of those “are urged to update the xz-utils packages.”
Users of Kali Linux that have updated their installation between March 26th to March 29th are affected, OffSec confirmed.
Some Arch Linux virtual machine and container images and an installation medium contained the affected XZ versions.
Ubuntu says that no released versions of Ubuntu were affected by this issue.
Linux Mint is not affected. Gentoo Linux is not affected. Amazon Linux customers are not affected. Alpine Linux – not affected.
Users should follow the guidance provided by the maintainers of their Linux distribution, and there’s a script for checking whether your system uses a backdoored version of the liblzma library.
“Any system that had affected packages installed should be treated as a potential security incident and investigated to determine if the backdoor was used,” notes Bar Kaduri, Research Team Leader at Orca Security.
“At minimum, we recommend [that you] check for any sensitive information or sensitive keys on the machine, rotate any credentials found on the machine or related to the machine, [and] review all the assets that are within the blast radius of the affected machine.”
The XZ backdoor
XZ Utils is a command line tool for compressing/decompressing .xz files.
It has been established that XZ Utils versions 5.6.0 and 5.6.1 have been compromised. The backdoor is in the package’s liblzma library, which is used by sshd (i.e., SSH daemon app) that listens for SSH connections.
Security researchers, open-source maintainers and others have been analyzing the compromised versions and the backdoor, and have published their preliminary findings.
“The backdoor discovered in xz-utils is intricate and indirect, manifesting only under specific conditions. While the full extent of its capabilities is still being investigated, we known it can be triggered by remote unprivileged systems connecting to public SSH ports. This activation can lead to performance issues and potentially compromise system integrity,” security researcher Ofek Haviv pointed out.
Who did it?
XZ Utils was authored by and is still led by Lasse Collin, but the backdoor was introduced by someone that went by “Jia Tan” (JiaT75 on GitHub), who became – over several years, with the help of sock puppet accounts and trust-building via social engineering – a prolific maintainer of the software, and did other things to keep the existence of the backdoor under wraps.
We might never know who the threat actor behind this supply chain attack is, but it is generally agreed by the cybersecurity and OSS community that the protracted, concerted effort made by “Jia Tan” points to an advanced threat actor.
“The backdoor attempt was a very serious one, with a very high bar of knowledge, research, development and tradecraft to reach this far into the Linux ecosystem. Additionally, changes made by the threat actor on Github span multiple years, and include things like introducing functions incompatible with OSS Fuzzer due to outstanding small issues since 2015, then getting OSS Fuzzer to exclude XZ Utils from scanning last year,” researcher Kevin Beaumont noted.
“The backdoor itself is super well put together, and even includes the ability to remotely deactivate and remove the backdoor via a kill command. Several days in, despite global focus, I haven’t seen anybody who has finished reverse engineering it.”
Freund discovered the backdoor by accident and that was an extremely lucky break for the Linux and the wider open-source software community. First and foremost, the backdoor didn’t end up in stable versions of major Linux distributions. But also, this incident is proof that the debate on how to keep crucial open-source projects secure MUST soon result in at least a few practical solutions.