Jump to content

XZ Utils backdoor: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Add 5.6.1 as an affected version.
→‎Background: Per talk, source does not say they were sockpuppets, and given the speculation it's unclear if they are
Line 29: Line 29:
Once the compromised version is incorporated into the operating system, it alters the behavior of [[OpenSSH]]'s [[SSH]] server daemon by abusing the [[systemd]] library, allowing the attacker to gain the same level of access as any authorized administrator.<ref name="register"></ref><ref name="ars-what-we-know"></ref> According to the analysis by [[Red Hat]], the backdoor can "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".<ref name="redhat-advisory">{{cite web |title=Urgent security alert for Fedora 41 and Fedora Rawhide users |url=https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users |publisher=Red Hat |access-date=29 March 2024 |language=en}}</ref>
Once the compromised version is incorporated into the operating system, it alters the behavior of [[OpenSSH]]'s [[SSH]] server daemon by abusing the [[systemd]] library, allowing the attacker to gain the same level of access as any authorized administrator.<ref name="register"></ref><ref name="ars-what-we-know"></ref> According to the analysis by [[Red Hat]], the backdoor can "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".<ref name="redhat-advisory">{{cite web |title=Urgent security alert for Fedora 41 and Fedora Rawhide users |url=https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users |publisher=Red Hat |access-date=29 March 2024 |language=en}}</ref>


A subsequent investigation found that the backdoor was a culmination of approximately three years of effort by a user going by the name Jia Tan and the nickname JiaT75, who appears to have made a concentrated effort to gain access to a position of trust within the xz project, by putting pressure on the head maintainer to step down and hand over the control of the project through the use of [[Sock puppet account|sockpuppets]].<ref name="ars-what-we-know"></ref>
A subsequent investigation found that the backdoor was a culmination of approximately three years of effort by a user going by the name Jia Tan and the nickname JiaT75, who gained access to a position of trust within the xz project, after a period of pressure on the head maintainer to hand over the control of the project through other new participants.<ref name="ars-what-we-know"></ref>


==Mechanism==
==Mechanism==

Revision as of 14:24, 3 April 2024

XZ Utils backdoor
CVE identifier(s)CVE-2024-3094
Date discovered29 March 2024; 4 months ago (2024-03-29)
DiscovererAndres Freund
Affected softwarexz / liblzma library
Websitetukaani.org/xz-backdoor/

On 29 March 2024, software developer Andres Freund announced that he had found a maliciously introduced backdoor in the Linux utility xz within the liblzma library in versions 5.6.0 and 5.6.1 in February 2024.[1] xz is commonly deployed as part of most Linux distributions, although the backdoored version was not yet widely deployed at the time of discovery.[2] The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution on the affected Linux systems. It has been assigned a CVSS score of 10.0, the highest possible score.[3][4][5]

Background

PostgreSQL developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid.[6] Freund noticed that SSH connections were generating unexpectedly high amount of CPU usage as well as causing errors in Valgrind, a memory debugging tool.[7] Freund reported his finding to Openwall Project's open source security mailing list,[8] which brought it to the attention of various software vendors.[7] There is evidence that the attacker made efforts to obfuscate the code[9][10] as the backdoor consists of multiple stages that act together.[11]

Once the compromised version is incorporated into the operating system, it alters the behavior of OpenSSH's SSH server daemon by abusing the systemd library, allowing the attacker to gain the same level of access as any authorized administrator.[11][7] According to the analysis by Red Hat, the backdoor can "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".[12]

A subsequent investigation found that the backdoor was a culmination of approximately three years of effort by a user going by the name Jia Tan and the nickname JiaT75, who gained access to a position of trust within the xz project, after a period of pressure on the head maintainer to hand over the control of the project through other new participants.[7]

Mechanism

The malicious code is known to be in 5.6.0 and 5.6.1 releases of the XZ Utils software package. The exploit remains dormant unless a specific third-party patch of the SSH server is used. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.[12] The malicious mechanism consists of two compressed test files that contain the malicious binary code. These files are available in the git repository, but remain dormant unless extracted and injected into the program.[5] The code uses the glibc IFUNC mechanism to replace an existing function in OpenSSH called RSA_public_decrypt with a malicious version. OpenSSH normally does not load liblzma, but a common third-party patch used by several Linux distributions causes it to load libsystemd, which in turn loads lzma.[5] A modified version of build-to-host.m4 was included in the release tar file uploaded on GitHub, which extracts a script that performs the actual injection into liblzma. This modified m4 file was not present in the git repository; it was only available from tar files released by the maintainer separate from git.[5] The script appears to only perform the injection when the system is being built on an x86-64 Linux system that uses glibc and GCC and is being built via dpkg or rpm.[5]

Response

The US federal agency responsible for cyber security and infrastructure, Cybersecurity and Infrastructure Security Agency, has issued a security advisory, recommending that the affected devices should roll back to a previous uncompromised version.[13] Linux software vendors, including Red Hat,[12] SUSE,[14] and Debian,[15] have mirrored the CISA advisory, and reverted the updates for the affected packages to older versions.[citation needed] GitHub has disabled the mirrors for the xz repository.[16]

References

  1. ^ Corbet, Jonathan. "A backdoor in xz". LWN. Retrieved 2 April 2024.
  2. ^ "CVE-2024-3094". National Vulnerability Database. NIST. Retrieved 2 April 2024.
  3. ^ Gatlan, Sergiu. "Red Hat warns of backdoor in XZ tools used by most Linux distros". BleepingComputer. Retrieved 29 March 2024.
  4. ^ Akamai Security Intelligence Group (1 April 2024). "XZ Utils Backdoor – Everything You Need to Know, and What You Can Do".
  5. ^ a b c d e James, Sam. "xz-utils backdoor situation (CVE-2024-3094)". GitHub. Retrieved 2 April 2024.
  6. ^ Zorz, Zeljka (29 March 2024). "Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094)". Help Net Security. Retrieved 29 March 2024.
  7. ^ a b c d Goodin, Dan (1 April 2024). "What we know about the xz Utils backdoor that almost infected the world". Ars Technica. Retrieved 1 April 2024.
  8. ^ "oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise". www.openwall.com. Retrieved 3 April 2024.
  9. ^ Larabel, Michael. "XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access". Phoronix. Retrieved 29 March 2024.
  10. ^ O'Donnell-Welch, Lindsey (29 March 2024). "Red Hat, CISA Warn of XZ Utils Backdoor". Decipher. Retrieved 29 March 2024.
  11. ^ a b Claburn, Thomas. "Malicious backdoor spotted in Linux compression library xz". The Register. Retrieved 1 April 2024.
  12. ^ a b c "Urgent security alert for Fedora 41 and Fedora Rawhide users". Red Hat. Retrieved 29 March 2024.
  13. ^ "Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094". CISA. 29 March 2024. Retrieved 29 March 2024.
  14. ^ "SUSE addresses supply chain attack against xz compression library". SUSE Communities. SUSE. Retrieved 29 March 2024.
  15. ^ Salvatore, Bonaccorso (29 March 2024). "[SECURITY] [DSA 5649-1] xz-utils security update". debian-security-announce (Mailing list). Retrieved 29 March 2024.
  16. ^ Larabel, Michael (29 March 2024). "GitHub Disables The XZ Repository Following Today's Malicious Disclosure". Phoronix. Retrieved 31 March 2024.
Retrieved from "https://en.wikipedia.org/w/index.php?title=XZ_Utils_backdoor&oldid=1217045471"