A curious Microsoft engineer has turned up a backdoor in the nearly-ubiquitous open source XZ Utils package that’s set Linux maintainers into a patching frenzy.
Andres Freund, who describes himself on LinkedIn as a “PostgreSQL developer and committer”, investigated an approximately 500ms performance issue with the liblzma library.
His investigation, outlined in a post to Openwall, led him to discover the backdoor, which is deployed by an obfuscated script in the build chain.
The Cybersecurity and Infrastructure Security Agency (CISA) warned the backdoor (CVE-2024-3094) is present in XZ Utils versions 5.6.0 and 5.6.1, and until distributions have it patched, all users should downgrade to a previous package.
The SANS Institute’s Bojan Zdrnja described the backdoor as “amazingly scary”.
And, as Akamai explained, “Currently, it appears as though the backdoor is added to the SSH daemon on the vulnerable machine, enabling a remote attacker to execute arbitrary code.
"This means that any machine with the vulnerable package that exposes SSH to the internet is potentially vulnerable.”
The backdoor was created and inserted into the code by a very patient attacker.
Around two years ago, someone calling themselves “Jia Tan” joined the XZ Utils project, and his contributions led to him receiving commit permissions and eventually release manager rights.
“It seems that as part of the effort to gain these permissions, Jia Tan used an interesting form of social engineering: They used fake accounts to send myriad feature requests and complaints about bugs to pressure the original maintainer, eventually causing the need to add another maintainer to the repository," Akamai stated.
In 2023, Jia Tan introduced changes – including the backdoor – into XZ Utils version 5.6.0.
Since the story broke on Friday, GitHub has disabled the project’s repository.
“This backdoor almost became one of the most significant intrusion enablers ever — one that would’ve dwarfed the SolarWinds backdoor," Akamai wrote.
"The attackers were almost able to gain immediate access to any Linux machine running an infected distro, which includes Fedora, Ubuntu, and Debian. Almost.”
Freund’s investigation, Akamai explained, was the only reason the attack was caught.
Advisories have already been issued by most Linux and BSD distributions, including Red Hat, Amazon, Debian, Gentoo, SUSE, Nixos, FreeBSD, Alpine Linux, Arch Linux, Ubuntu, and the Open Source Security Foundation.