A security leak in the Linux compression tool xz shows open-source systems’ vulnerability to multi-year infiltration tactics by “trusted” contributors. In this case, the culprits added malicious code after the original creator appeared to neglect the project. A competent successor was supposedly ready to take the helm.
As many companies and media were about to begin their Easter weekend, a Microsoft engineer discovered a backdoor in the release tarballs (file collections) for versions 5.6.0 and 5.6.1 of the xz compression tool for Linux. This tool allows files, data streams, and archives to be massively reduced in size. The leak was initially thought to be an “SSH backdoor,” but it was actually in xz itself.
This widely used compression library is associated with several packages, including sshd. The fact that so many packages use functionality in xz Utils (which contains xz and a suite of additional utilities) makes the backdoor potentially dangerous.
The backdoor discovery happened while reviewing peculiar SSH performance issues and valgrind crashes. The injected code messed with liblzma (a software library part of the xz Utils package). It did so via subtle changes to xz’s configure script.
Tip: Dangerous backdoor discovered in XZ packages for Linux
Malicious code via SSH login process
The backdoor could potentially give a malicious person unauthorized access to the entire system by inserting code during the SSH login process, which is used to establish a secure connection to other devices.
Although a widely used sshd implementation tool like OpenSSH cannot access the liblzma library by default, it is possible in several versions of Linux (such as Debian) via a patch that links sshd to system manager systemd.
The backdoor ended up in xz throughout several commits, sometimes only in tarball source code releases, presumably to evade detection. According to The Register, that indicates a prolonged attempt to compromise the software project.
Pressure applied to Linux distributors
The perpetrator or group behind the backdoor (known as “Jia Tan”) made changes to the xz project over more than two years. In the process, they pressured Linux distributors to include compromised versions of xz under the guise of new features.
Security Boulevard reports that additions or changes to the code were sometimes logged as “test enhancements,” again to stay under the radar. The test binaries actually contained malicious code. A machine that exposes the xz version with the vulnerability to the Internet via SSH runs the risk of executing such code, which allows hackers to take over computers or servers remotely.
Ultimately, the 5.6.0 and 5.6.1 versions of xz ended up in only a few Linux distributions. Most of these are development, test or experimental versions which are not in frequent use. Many production versions of Linux distributions use an earlier version that does not have the vulnerability.
Vulnerability due to dependencies
However, the timely discovery of the backdoor spared most of the Linux ecosystem a significant security problem. In a few weeks or months, the latest version of xz could have made its way to production environments.
The incident highlights the vulnerability caused by building in dependencies and new features, especially if these are not necessary for standard operation, as in the case of linking sshd with system manager systemd via the patch in xz Utils.
This coupling is supposed to improve performance, which sounds attractive in itself. However, such dependencies expose applications to vulnerabilities via third-party libraries, which can complicate patching and increase the attack surface.
Creator of the xz tool was manipulated
Another risk is that Linux users sometimes rely on tools and libraries created by individuals or hobbyists. These may decide to quit or neglect their projects for some reason. In other words, there is no guarantee the software will be maintained.
In the case of xz, other users —possibly linked to the bad actor— have manipulated the tool’s creator into passing the baton. He allegedly suffers from health problems.
The mysterious Jia Tan, active on GitHub since 2021, cast themselves as a possible successor. Jia Tan had already made several contributions and gained the appearance of legitimacy through endorsements from others. Software expert Rob Mensching tried reconstructing this process based on a series of archived e-mail conversations.
Hijacked for their own purposes
The discovery of a backdoor in this widely used open-source application highlights how vulnerable software supply chains are, with their built-in (on-demand) dependencies, and how malicious actors can very patiently infiltrate critical infrastructure by exploiting these dependencies.
In this case, bad actors capitalized on the expectation that applications should get new functionality from time to time (apart from essential security updates). When this did not happen for a while, the creator was pressured to pass the torch. Preferably to someone who had proven themselves as a contributor to the software project. This gave evildoers the opportunity to hijack the project for their own purposes.
Also read: Temporarily no new users welcome on PyPi due to malware