A recent supply chain attack targeted the widely-used XZ Utils package, impacting Linux systems using versions 5.6.0 -> 5.6.1 [8].
Description
The attacker, named Jia Tan [4] [7], collaborated with a volunteer developer to introduce a backdoor into the release versions of the package, allowing for remote code execution on impacted machines [8]. By gaining maintainer responsibilities through social engineering tactics [7], the attacker bypassed authentication protocols and gained control of victim machines using an SSH certificate. Any machine with the vulnerable package that exposes SSH to the internet is at risk [7]. XZ Utils is an open-source data compression utility used in major Linux distributions like Fedora [7], Slackware [7], Ubuntu [7], and Debian [6] [7]. This incident underscores the vulnerability of organizations to code components and the need for improved security measures for open source software.
A backdoor was discovered in versions 5.6.0 and 5.6.1 of XZ Utils compression tools [3], affecting Linux distributions [1] [3] [5] [6] [7]. The backdoor allows remote threat actors to bypass sshd authentication and potentially execute remote code [3]. This vulnerability, assigned CVE-2024-3094 [3] [6], has a critical CVSS score of 10.0 and poses a significant risk to the Linux ecosystem [3]. Various Linux distribution vendors have either patched the issue or were unaffected by it [3]. While there have been no reported exploits yet [3], the availability of proof of concept exploit code suggests that threat actors may target this vulnerability in the future [3]. Developer Lasse Collin has made adjustments to security policies and removed the backdoor in versions 5.6.0 and 5.6.1 of XZ Utils [2]. A clean version of XZ Utils [2], likely to be version 5.8.0 [2], will be released to distinguish it from the infected 5.6.x versions [2]. The compromised versions of XZ were discovered before they could reach production environments [2], thanks to a timely discovery by a Microsoft researcher on Good Friday [2]. The attack exploited the indirect usage of liblzma by OpenSSH [1], with the malware hidden in x86_64 object code in binary test files [1]. Authorities like CISA and Red Hat have issued alerts urging users to downgrade xz to a safe version to mitigate risks [6].
Conclusion
Organizations should vet dependencies [5], enhance response effectiveness [5], and prepare for increased scrutiny on open source components as new regulations and guidelines shape software development practices. The availability of proof of concept exploit code suggests that threat actors may target this vulnerability in the future [3]. It is crucial for the Linux community to remain vigilant and prioritize security measures to prevent similar attacks in the future.
References
[1] https://corsha.com/blog/the-xz-utils-backdoor-cve-2024-3094
[2] https://www.techzine.eu/news/security/118633/xz-utils-available-again-on-github-creator-investigates-backdoor/
[3] https://arcticwolf.com/resources/blog/cve-2024-3094/
[4] https://english.elpais.com/technology/2024-04-10/how-half-a-second-of-suspicious-activity-led-an-engineer-to-prevent-a-massive-cyberattack.html
[5] https://www.darkreading.com/application-security/xz-utils-scare-exposes-hard-truths-in-software-security
[6] https://techhyme.com/linux-utility-backdoor-risks-ssh-compromise/
[7] https://any.run/cybersecurity-blog/xz-utils-backdoor/
[8] https://www.offsec.com/offsec/xz-backdoor/
