Vendors have issued urgent warnings for users to immediately stop using development and experimental versions of Fedora and Debian, as well as certain versions of Kali Linux and openSUSE due to the discovery of a backdoor in the XZ Utils data compression tools and libraries used by the operating systems.
The issue, designated CVE-2024-3094 and assigned the highest criticality rating of 10, was discovered almost by chance due to the keen eye of a security researcher investigating performance issues associated with a Debian deployment. While trying to understand why SSH logins were consuming too many CPU cycles, the researcher tracked the problem to a backdoor placed in updates made to XZ Utils.
Fortunately, he promptly reported the issue, thwarting what could have been a massive security breach if the backdoor was eventually released in stable versions.
Analysis of the backdoor revealed that a threat actor with the predetermined encryption key could log in to the backdoored system of SSH, giving them remote administrator-level control over the machine. The backdoor is implemented via a five-stage loader that leverages a series of techniques to hide itself. It also includes the capability to deliver new payloads without making major changes.
Researchers have traced the changes to XZ Utils to a GitHub user Jia Tan, who first began making commits to XZ Utils in 2023, and in other projects since 2021.
Identify, manage, and reduce cyber risk with your free attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
In February 2024, Tan made commits to versions 5.6.0 and 5.6.1 which implemented the backdoor. In the weeks following, Tan and other users requested developers of Ubuntu, Red Hat, and Debian to merge the now trojanized version of XZ Utils into their OSs, ultimately leading to CVE-2024-3094.
While no patch for the issue is currently available, users of affected versions of the Linux-based operating systems have been warned to downgrade to stable versions or switch to non-experimental/development instances. Users of affected versions are also encouraged to check for signs of compromise.
Source: Ars Technica
Analysis
The ramifications of this supply-chain attack could have been extremely significant had the backdoor made it into non-experimental deployments of the affected. Linux-based OSs are often used to run servers as they are considerably lightweight compared to their Windows counterparts and, often more importantly, free.
Had the backdoors made it in, it would have provided threat actors with admin-level access to thousands of machines which could enable ransomware, data exfiltration, and adversary in-the-middle attacks.
Typically, the benefits of open-source software, such as Linux-based operating systems, is that many individuals contribute and review code, enhancing the software’s performance and minimizing the chance of vulnerabilities or malicious code making it into the deployment. However, in this case, it appears that the threat actor and his accomplices were able to take control of the project to minimize code review opportunities.
The Jia Tan GitHub account and other accounts associated with the XZ Utils project have been suspended. More incidents will likely be discovered as cybersecurity researchers and authorities continue to investigate.
Image 1: Suspension of GitHub account associated with Jia Tan. (Source: GitHub)
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software, appliances, and operating systems. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users were automatically notified if vulnerable versions of XZ Utils were detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.
Field Effect strongly encourages all other users of the affected OSs to either update to the latest stable version or downgrade to the non-backdoored versions of the experimental deployments as soon as possible.
If administrators are unsure which versions of XZ Utils are installed on their deployment, the following script can be used to determine the version without running the potentially backdoored executable:
for xz_p in $(type -a xz | awk '{print $NF}' | uniq); do strings "$xz_p" | grep "xz (XZ Utils)" || echo "No match found for $xz_p"; done
Related articles