Monday, April 1st 2024
Researcher's Curiosity Uncovers Backdoor in Popular Linux Utility, Compromising SSH Connections
In a interesting discovery that sent a series of shockwaves through the Linux community, Andres Freund, Principal Software Engineer at Microsoft, located a malicious backdoor in the widely used compression tool called "xz Utils." The backdoor, introduced in versions 5.6.0 and 5.6.1 of the utility, can break the robust encryption provided by the Secure Shell (SSH) protocol, allowing unauthorized access to affected systems. What Andres Freund found is that the latest version of xz Utils is taking 0.5 seconds in SSH on his system, while the older system with the older version took 0.1 seconds for simple processing, prompting the user to investigate and later send a widespread act for caution. While there are no confirmed reports of the backdoored versions being incorporated into production releases of major Linux distributions, the incident has raised serious concerns among users and developers alike.
Red Hat and Debian, two of the most well-known Linux distribution developers, have reported that their recently published beta releases, including Fedora 40, Fedora Rawhide, and Debian testing, unstable, and experimental distributions, used at least one of the affected versions of xz Utils. According to Red Hat officials, the first signs of the backdoor were introduced in a February 23 update, which added obfuscated (unreadable) code to xz Utils. A subsequent update the following day introduced functions for deobfuscating the code and injecting it into code libraries during the utility's update process. The malicious code has been cleverly hidden only in the tarballs, which target upstream releases of Linux distributions.
The backdoor is specifically designed to interfere with the authentication process performed by SSH, a critical protocol used for secure remote connections to systems. By breaking the encryption provided by SSH, the backdoor allows malicious actors to gain unauthorized access to the entire system, potentially compromising sensitive data and resources. Users of affected distributions are advised to exercise caution and apply any available patches or updates as soon as possible to mitigate the risk of exploitation. As the investigation into this security breach continues, the incident is a stark reminder of the importance of vigilance and regular security audits, even in the open-source software ecosystem. The Linux community is and must remain proactive in identifying and addressing such threats to ensure the integrity and security of Linux-based systems that power today's entire modern infrastructure.
Sources:
OpenWall Post by Andres Freund, via Ars Technica
Red Hat and Debian, two of the most well-known Linux distribution developers, have reported that their recently published beta releases, including Fedora 40, Fedora Rawhide, and Debian testing, unstable, and experimental distributions, used at least one of the affected versions of xz Utils. According to Red Hat officials, the first signs of the backdoor were introduced in a February 23 update, which added obfuscated (unreadable) code to xz Utils. A subsequent update the following day introduced functions for deobfuscating the code and injecting it into code libraries during the utility's update process. The malicious code has been cleverly hidden only in the tarballs, which target upstream releases of Linux distributions.
14 Comments on Researcher's Curiosity Uncovers Backdoor in Popular Linux Utility, Compromising SSH Connections
Basically the bad actor was active for this repo for a year... he has hundreds of contributions... including for Microsoft Visual Studio... The impact could be grand.
www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-usersEdit: interesting addition seems like even the downgrade is compromised.
tukaani.org/xz-backdoor/Also atleast 3 days late.
Here's a good write up in understandable language about how the malicious codes operates. There are even speculation about him acting in in multiple names... a whole drama with popcorn.
gynvael.coldwind.pl/?lang=en&id=782
And a pic... don't make jokes about the font the dude used.
Well that's a shame anyone still uses xz instead of superior zstd.
[ Ubuntu RISC-V images ]
cdimage.ubuntu.com/releases/22.04.3/release/ubuntu-22.04.3-preinstalled-server-riscv64+unmatched.img.xz
cdimage.ubuntu.com/releases/22.04.2/release/ubuntu-22.04.2-preinstalled-server-riscv64+unmatched.img.xz
[ Fedora RISC-V images ]
dl.fedoraproject.org/pub/alt/risc-v/repo/virt-builder-images/images/Fedora-Developer-Rawhide-20200108.n.0-sda.raw.xz
dl.fedoraproject.org/pub/alt/risc-v/repo/virt-builder-images/images/Fedora-Minimal-Rawhide-20200108.n.0-sda.raw.xz
[ OpenSBI installs ]
github.com/riscv-software-src/opensbi/releases/download/v1.2/opensbi-1.2-rv-bin.tar.xz
github.com/riscv-software-src/opensbi/releases/download/v1.1/opensbi-1.1-rv-bin.tar.xz
github.com/riscv-software-src/opensbi/releases/download/v1.0/opensbi-1.0-rv-bin.tar.xz
[ Linux aarch64 hosted compilers and tools ]
ampere-9.3.0-20200410-nativetools.tar.xz
ampere-9.3.0-20200410-dynamic-nativetools.tar.xz
[ AMDGPU-Pro Beta Mining Driver version 17.40 for Linux ]
www2.ati.com/drivers/linux/beta/ubuntu/amdgpu-pro-17.40-483984.tar.xz
www2.ati.com/drivers/linux/beta/rhel/amdgpu-pro-17.40-483984.tar.xz
I would also ask why liblzma can take over an ssh server process ... seems like some kind of hardening is missing here (ideally).
edit: proof of concept exploit was shown for libarchive: jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/
## Ubuntu Server 20.04 for RISC-V ( with Desktop UI Manager )
root@ubuntu:~# xz --version
xz (XZ Utils) 5.2.4
liblzma 5.2.4
## Ubuntu Server 20.04 for RISC-V ( without Desktop UI Manager )
root@ubuntu:~# xz --version
xz (XZ Utils) 5.2.4
liblzma 5.2.4
## Debian Server 13.2.0 for RISC-V ( without Desktop UI Manager )
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Attention
!!! XZ Utility Affected!
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
root@debian:~# xz --version
xz (XZ Utils) 5.6.0
liblzma 5.6.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Attention
!!! XZ Utility Manually Downgraded
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
root@debian:~# xz --version
xz (XZ Utils) 5.4.5
liblzma 5.4.5
## Fedora Server 33 for RISC-V ( without Desktop UI Manager )
root@fedora-riscv:~# xz --version
xz (XZ Utils) 5.2.5
liblzma 5.2.5
## Ubuntu Desktop 16.04 LTS for x86 64-bit ( for Xilinx FPGA R&Ds )
ubuntu@ubuntu-vm:~$ xz --version
xz (XZ Utils) 5.1.0alpha
liblzma 5.1.0alpha
## Ubuntu Desktop 18.04 LTS for x86 64-bit
ubuntu@ubuntu-vm:~$ xz --version
xz (XZ Utils) 5.2.2
liblzma 5.2.2
## Ubuntu Desktop 20.04 LTS for x86 64-bit
ubuntu@ubuntu-vm:~$ xz --version
xz (XZ Utils) 5.2.4
liblzma 5.2.4
This is seriously bad. Hopefully the community can filter out all the nefarious versions at the package manager.That is not how a security researcher thinks.