Users of the open source XZ Utils data compression library may have narrowly avoided falling victim to a major supply chain attack, after evidence of an apparently intentionally placed backdoor in the code was revealed.
The malicious code, embedded in versions 5.6.0 and 5.6.1 of the library, enabled unauthorised access to affected Linux distributions, and over the past few days has been the subject of alerts from the likes of Red Hat and the US Cybersecurity and Infrastructure Security Agency (CISA).
Red Hat explained that the malicious build interferes with authentication via secure shell (SSH). “Under the right circumstances, this interference could potentially enable a malicious actor to break SSH authentication and gain unauthorised access to the entire system remotely,” it said in its advisory.
According to JFrog, the ultimate goal of the backdoor is to enable a malicious actor to inject code into the OpenSSH server running on the target machine and enable specific remote attackers to send arbitrary payloads via SSH that execute prior to authentication and take over the target.
It has been assigned the designation CVE-2024-3094, and its discovery is credited to Andrew Freund, a Microsoft developer who was led to the code after he spotted failing SSH logins using high central processing unit loads.
The backdoor itself appears to have been introduced to the project in February, but was found by Freund before it was fully deployed in the wild – although some Linux distros, including Red Hat Fedora Linux 40 and Fedora Rawhide, may have received the tainted code already.
Other mainstream distros, including Debian Linux, Kali Linux and SUSE, have issued their own advisories on the matter.
Deeply committed effort
The backdoor seems to have been the work of an individual going by the handle JiaT75 who, according to an extensive investigation by Ars Technica, had made extensive contributions to the XZ Utils project over a number of years.
At face value, the evidence suggests a coordinated and deeply committed effort by JiaT75 to pull the wool over everyone’s eyes. However, little is yet known about this person, and it’s important to note the possibility they may not be the guilty party; they may have been compromised themselves.
Saumitra Das, Qualys vice-president of technology, said the XZ Utils incident had echoes of the infamous SolarWinds-Sunburst incident, with code silently injected to allow remote unauthenticated access.
“It is unclear what the full attack kill chain would be once the attack played out, but such attacks are generally very hard to detect at an early stage,” he said. “These types of incidents further highlight the need for defence in depth to provide for detections at different stages of the kill chain.”
Das additionally noted that shift left testing – generally touted as a means to bolster the integrity of new code – provided insufficient safeguards against the supposed exploit scenario, and nor would it have done any good to observe system behaviour on the network or the endpoint for malicious binaries. Command and control (C2) or other anomalous activities would be needed to have any chance of detecting it, he claimed.
“This … highlights the need for understanding our software supply chain better,” said Das. “SBOM is just the first step telling us about software ingredients. The next step would be to verify the source of those ingredients themselves. The GitHub committer who put this in, how that open source component is maintained and by whom, are all relevant questions we will need to take into account.”
Developers and users are advised to downgrade XZ Utils to an uncompromised version immediately, before undertaking a thorough hunt for any malicious activity.
