2024-04-01
Malicious Code Founds in xz utils
Both RedHat and the US Cybersecurity and Infrastructure Security Agency (CISA) have warned of embedded malicious code in xz utils data compression library versions 5.6.0 and 5.6.1. CISA recommend downgrading to an unaffected version of the library. Researchers Andres Freund reported the vulnerability to Openwall on Friday, March 29.
Editor's Note
Luckily, this can be classified as a win for the good guys. But the danger to the supply chain is real. Not only was the backdoor very unique and sophisticated, but it was supported by a long term social engineering campaign at least as complex as the backdoor itself. Take a minute this week, and send a thank you note to an open source project that made a difference for you this week.
Johannes Ullrich
This incident brings strong echoes of the famous Ken Thompson's paper, “Reflections on Trusting Trust”. If you have not read it, I strongly recommend you do. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
Brian Honan
This attack would have been highly effective if not for an engineer’s curious mind. Of note is the use of an advanced cryptographic scheme that ensures only they can use the bug for attack – a level of sophistication often found in nation-state backed operations. While the focus will be on the integrity of open-source software, it’s also a reminder for product vendors and the security controls they have in place for software configuration management.
Curtis Dukes
APT class actors have discovered the potential efficiency of the supply-chain. We must hold suppliers accountable for shipping malicious code. Open-Source is an easy target and a big risk. At a minimum, we should require open source contributors to sign their work and include a SBOM for any code that they reuse.
William Hugh Murray
What makes this one different is the sophistication and the targeting. This hidden code only appeared on compilation through an M4 macro and within the test trees. This requires a high degree of understanding of how to manipulate compiled binaries in systems. It appears that this was targeting xz’s use in SSH on specific systems. This would be a very innocuous and hard-to-understand backdoor in one of the most critical and trusted secure protocols that we rely on.
Moses Frost
Read more in
NVD: CVE-2024-3094 Detail
Openwall: backdoor in upstream xz/liblzma leading to ssh server compromise
Red Hat: CVE-2024-3094
RedHat: Urgent security alert for Fedora Linux 40 and Fedora Rawhide users
CISA: Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094
Nextgov: CISA sounds alarm on deep-seated vulnerability in Linux tool
Ars Technica: What we know about the xz Utils backdoor that almost infected the world
SC Magazine: Backdoor in utility commonly used by Linux distros risks SSH compromise
The Record: Malicious backdoor code embedded in popular Linux tool, CISA and Red Hat warn
The Register: Malicious SSH backdoor sneaks into xz, Linux world's data compression library