Linux just dodged a serious security threat in the form of a mysterious backdoor added to a key library found in many distributions.
The backdoor was found in the XZ Utils library and could have allowed an attacker to compromise SSHD authentication, granting unauthorized access to the entire system remotely. Fortunately, however, it was detected before it became widely incorporated.
XZ is a data compression format present in almost all Linux distributions that helps compress and then decompress large file formats for sharing via file transfers.
“With such a widely used library, the severity of this vulnerability represents a threat to the entire Linux ecosystem,” the Kali Linux team explained in an advisory. “Fortunately, this issue was fixed quickly, so the impact was significantly less than it could have been.”
The backdoor is quite complex, according to Akamai's analysis. Instead of pushing parts of the backdoor to the public git repository, these were only included in the tarball source versions.
“This caused parts of the backdoor to remain relatively hidden, while still being used during the construction process of dependent projects,” he said.
It's not clear who added the backdoor to the library or why, but it appears to have been a very sophisticated attempt to introduce malicious code. It appears that a developer joined the project, contributed for two years, and took on more responsibilities before his account was used to introduce the fraudulent code.
In this case, the backdoor was found relatively quickly after another developer spotted some strange behavior in liblzma (part of the xz package) and decided to do some digging.
After publishing their findings online, Linux distributions affected by the backdoor also issued warnings.
OpenSUSE said the openSUSE Tumbleweed and openSUSE MicroOS rolling release distribution included the affected version of the XZ/liblzma library between March 7 and March 28.
RedHat also revealed that its Fedora Linux 40 beta contained two affected versions of the xz libraries, with the vulnerability affecting Kali Linux between March 26 and March 29.
Meanwhile, Debian said the compromised packages were part of Debian's experimental, unstable and test distributions, with versions ranging from 5.5.1alpha-0.1 (loaded on February 1, 2024), up to and including 5.6.1-1 .
The package has since been reverted to use the upstream 5.4.5 code.
CISA recommended that developers and users downgrade XZ Utils to an uncommitted version, such as XZ Utils 5.4.6 Stable, and look for any malicious activity.
“This backdoor almost became one of the largest intrusion enablers in history,” Akamai said, because if widely deployed, the flaw would have given attackers access to any Linux machine running an infected distribution.
“This obviously raises a lot of concerns. “We were lucky,” Akamai added. “If this backdoor had not been detected by a curious engineer, how long would it have remained active? And perhaps even more worrying: What if this has happened before?
XZ Utils incident highlights the pros and cons of open source
It's an incident that reflects the complicated nature of open source development and how the actions of a small group of developers can have a huge impact on the entire software supply chain.
The Open Source Security Foundation said situations like this “remind us all to remain vigilant within the open source software ecosystem.”
“Open source is about well-intentioned human beings donating their time and talent to help solve problems, and unfortunately, this can be compromised,” the foundation added.
However, the open nature of open source prevented bad code from getting very far, the foundation noted.
“The nature of open source software allowed this vulnerability to be discovered, reported and addressed in a short period of time thanks to the diligence and oversight of the community.
Beyond that, the way open source packages transition from “experimental” versions to “stable” versions meant that compromised packages were contained in a restricted distribution.”
As many may remember from XKCD, all modern digital infrastructure is supported by maintainers of obscure software projects that few people know about, but everyone trusts.
This latest incident, which many warn could have turned out much, much worse, is just the latest reminder of that.