• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Researcher's Curiosity Uncovers Backdoor in Popular Linux Utility, Compromising SSH Connections

AleksandarK

News Editor
Staff member
Joined
Aug 19, 2017
Messages
2,651 (0.99/day)
In a interesting discovery that sent a series of shockwaves through the Linux community, Andres Freund, Principal Software Engineer at Microsoft, located a malicious backdoor in the widely used compression tool called "xz Utils." The backdoor, introduced in versions 5.6.0 and 5.6.1 of the utility, can break the robust encryption provided by the Secure Shell (SSH) protocol, allowing unauthorized access to affected systems. What Andres Freund found is that the latest version of xz Utils is taking 0.5 seconds in SSH on his system, while the older system with the older version took 0.1 seconds for simple processing, prompting the user to investigate and later send a widespread act for caution. While there are no confirmed reports of the backdoored versions being incorporated into production releases of major Linux distributions, the incident has raised serious concerns among users and developers alike.

Red Hat and Debian, two of the most well-known Linux distribution developers, have reported that their recently published beta releases, including Fedora 40, Fedora Rawhide, and Debian testing, unstable, and experimental distributions, used at least one of the affected versions of xz Utils. According to Red Hat officials, the first signs of the backdoor were introduced in a February 23 update, which added obfuscated (unreadable) code to xz Utils. A subsequent update the following day introduced functions for deobfuscating the code and injecting it into code libraries during the utility's update process. The malicious code has been cleverly hidden only in the tarballs, which target upstream releases of Linux distributions.




The backdoor is specifically designed to interfere with the authentication process performed by SSH, a critical protocol used for secure remote connections to systems. By breaking the encryption provided by SSH, the backdoor allows malicious actors to gain unauthorized access to the entire system, potentially compromising sensitive data and resources. Users of affected distributions are advised to exercise caution and apply any available patches or updates as soon as possible to mitigate the risk of exploitation. As the investigation into this security breach continues, the incident is a stark reminder of the importance of vigilance and regular security audits, even in the open-source software ecosystem. The Linux community is and must remain proactive in identifying and addressing such threats to ensure the integrity and security of Linux-based systems that power today's entire modern infrastructure.

View at TechPowerUp Main Site | Source
 

AleksandarK

News Editor
Staff member
Joined
Aug 19, 2017
Messages
2,651 (0.99/day)
Not an April Fool's joke. Also, don't try to trick engineers; they will always find out. :)
 
Joined
Nov 18, 2010
Messages
7,594 (1.48/day)
Location
Rīga, Latvia
System Name HELLSTAR
Processor AMD RYZEN 9 5950X
Motherboard ASUS Strix X570-E
Cooling 2x 360 + 280 rads. 3x Gentle Typhoons, 3x Phanteks T30, 2x TT T140 . EK-Quantum Momentum Monoblock.
Memory 4x8GB G.SKILL Trident Z RGB F4-4133C19D-16GTZR 14-16-12-30-44
Video Card(s) Sapphire Pulse RX 7900XTX. Water block. Crossflashed.
Storage Optane 900P[Fedora] + WD BLACK SN850X 4TB + 750 EVO 500GB + 1TB 980PRO+SN560 1TB(W11)
Display(s) Philips PHL BDM3270 + Acer XV242Y
Case Lian Li O11 Dynamic EVO
Audio Device(s) SMSL RAW-MDA1 DAC
Power Supply Fractal Design Newton R3 1000W
Mouse Razer Basilisk
Keyboard Razer BlackWidow V3 - Yellow Switch
Software FEDORA 41
Pretty lazy made article.

Basically the bad actor was active for this repo for a year... he has hundreds of contributions... including for Microsoft Visual Studio... The impact could be grand.
 
Joined
Mar 7, 2011
Messages
4,624 (0.92/day)
Red Hat themselves had posted about this on 29th March along mitigations:

Updated March 30, 2024: We have determined that Fedora Linux 40 beta does contain two affected versions of xz libraries - xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm. At this time, Fedora 40 Linux does not appear to be affected by the actual malware exploit, but we encourage all Fedora 40 Linux beta users to revert to 5.4.x versions.
Edit: interesting addition seems like even the downgrade is compromised.
Pretty lazy made article.

Basically the bad actor was active for this repo for a year... he has hundreds of contributions... including for Microsoft Visual Studio... The impact could be grand.
Also atleast 3 days late.
 
Last edited:
Joined
Nov 18, 2010
Messages
7,594 (1.48/day)
Location
Rīga, Latvia
System Name HELLSTAR
Processor AMD RYZEN 9 5950X
Motherboard ASUS Strix X570-E
Cooling 2x 360 + 280 rads. 3x Gentle Typhoons, 3x Phanteks T30, 2x TT T140 . EK-Quantum Momentum Monoblock.
Memory 4x8GB G.SKILL Trident Z RGB F4-4133C19D-16GTZR 14-16-12-30-44
Video Card(s) Sapphire Pulse RX 7900XTX. Water block. Crossflashed.
Storage Optane 900P[Fedora] + WD BLACK SN850X 4TB + 750 EVO 500GB + 1TB 980PRO+SN560 1TB(W11)
Display(s) Philips PHL BDM3270 + Acer XV242Y
Case Lian Li O11 Dynamic EVO
Audio Device(s) SMSL RAW-MDA1 DAC
Power Supply Fractal Design Newton R3 1000W
Mouse Razer Basilisk
Keyboard Razer BlackWidow V3 - Yellow Switch
Software FEDORA 41
Also atleast 3 days late.

Indeed.

Here's a good write up in understandable language about how the malicious codes operates. There are even speculation about him acting in in multiple names... a whole drama with popcorn.


And a pic... don't make jokes about the font the dude used.

GJ-6mD9aIAARaiY.jpg
 
Joined
Mar 7, 2011
Messages
4,624 (0.92/day)
Joined
Nov 18, 2010
Messages
7,594 (1.48/day)
Location
Rīga, Latvia
System Name HELLSTAR
Processor AMD RYZEN 9 5950X
Motherboard ASUS Strix X570-E
Cooling 2x 360 + 280 rads. 3x Gentle Typhoons, 3x Phanteks T30, 2x TT T140 . EK-Quantum Momentum Monoblock.
Memory 4x8GB G.SKILL Trident Z RGB F4-4133C19D-16GTZR 14-16-12-30-44
Video Card(s) Sapphire Pulse RX 7900XTX. Water block. Crossflashed.
Storage Optane 900P[Fedora] + WD BLACK SN850X 4TB + 750 EVO 500GB + 1TB 980PRO+SN560 1TB(W11)
Display(s) Philips PHL BDM3270 + Acer XV242Y
Case Lian Li O11 Dynamic EVO
Audio Device(s) SMSL RAW-MDA1 DAC
Power Supply Fractal Design Newton R3 1000W
Mouse Razer Basilisk
Keyboard Razer BlackWidow V3 - Yellow Switch
Software FEDORA 41
So overall a mess and going to be quite a headache to cleanup.

It can be so bad, that guys will dig up backups on tape drives to compare old versions, if some are not compromised. It will be a heck of a job for the community.

Well that's a shame anyone still uses xz instead of superior zstd.
 
Joined
Jan 2, 2019
Messages
151 (0.07/day)
It can be so bad, that guys will dig up backups on tape drives to compare old versions, if some are not compromised. It will be a heck of a job for the community.

Well that's a shame anyone still uses xz instead of superior zstd.

As a matter of fact XZ utility and XZ archives are widely used! Here are examples:

[ Ubuntu RISC-V images ]
cdimage.ubuntu.com/releases/22.04.3/release/ubuntu-22.04.3-preinstalled-server-riscv64+unmatched.img.xz
cdimage.ubuntu.com/releases/22.04.2/release/ubuntu-22.04.2-preinstalled-server-riscv64+unmatched.img.xz

[ Fedora RISC-V images ]
dl.fedoraproject.org/pub/alt/risc-v/repo/virt-builder-images/images/Fedora-Developer-Rawhide-20200108.n.0-sda.raw.xz
dl.fedoraproject.org/pub/alt/risc-v/repo/virt-builder-images/images/Fedora-Minimal-Rawhide-20200108.n.0-sda.raw.xz

[ OpenSBI installs ]
github.com/riscv-software-src/opensbi/releases/download/v1.2/opensbi-1.2-rv-bin.tar.xz
github.com/riscv-software-src/opensbi/releases/download/v1.1/opensbi-1.1-rv-bin.tar.xz
github.com/riscv-software-src/opensbi/releases/download/v1.0/opensbi-1.0-rv-bin.tar.xz

[ Linux aarch64 hosted compilers and tools ]
ampere-9.3.0-20200410-nativetools.tar.xz
ampere-9.3.0-20200410-dynamic-nativetools.tar.xz

[ AMDGPU-Pro Beta Mining Driver version 17.40 for Linux ]
www2.ati.com/drivers/linux/beta/ubuntu/amdgpu-pro-17.40-483984.tar.xz
www2.ati.com/drivers/linux/beta/rhel/amdgpu-pro-17.40-483984.tar.xz
 
Joined
Feb 14, 2012
Messages
2,356 (0.50/day)
System Name msdos
Processor 8086
Motherboard mainboard
Cooling passive
Memory 640KB + 384KB extended
Video Card(s) EGA
Storage 5.25"
Display(s) 80x25
Case plastic
Audio Device(s) modchip
Power Supply 45 watts
Mouse serial
Keyboard yes
Software disk commander
Benchmark Scores still running
I read that the bad actor also committed changes to libarchive, which Microsoft has integrated into Win11 as of 2023 Q3.

I would also ask why liblzma can take over an ssh server process ... seems like some kind of hardening is missing here (ideally).
 
Last edited:
Joined
Jan 10, 2011
Messages
1,451 (0.28/day)
Location
[Formerly] Khartoum, Sudan.
System Name 192.168.1.1~192.168.1.100
Processor AMD Ryzen5 5600G.
Motherboard Gigabyte B550m DS3H.
Cooling AMD Wraith Stealth.
Memory 16GB Crucial DDR4.
Video Card(s) Gigabyte GTX 1080 OC (Underclocked, underpowered).
Storage Samsung 980 NVME 500GB && Assortment of SSDs.
Display(s) ViewSonic VA2406-MH 75Hz
Case Bitfenix Nova Midi
Audio Device(s) On-Board.
Power Supply SeaSonic CORE GM-650.
Mouse Logitech G300s
Keyboard Kingston HyperX Alloy FPS.
VR HMD A pair of OP spectacles.
Software Ubuntu 24.04 LTS.
Benchmark Scores Me no know English. What bench mean? Bench like one sit on?
What Andres Freund found is that the latest version of xz Utils is taking 0.5 seconds in SSH on his system, while the older system with the older version took 0.1 seconds for simple processing, prompting the user to investigate and later send a widespread act for caution.
Great. Just as I was getting over the paranoia triggered every time one of my software hang for a millisecond...
 
Joined
Feb 14, 2012
Messages
2,356 (0.50/day)
System Name msdos
Processor 8086
Motherboard mainboard
Cooling passive
Memory 640KB + 384KB extended
Video Card(s) EGA
Storage 5.25"
Display(s) 80x25
Case plastic
Audio Device(s) modchip
Power Supply 45 watts
Mouse serial
Keyboard yes
Software disk commander
Benchmark Scores still running
Last edited:
Joined
Jan 2, 2019
Messages
151 (0.07/day)
## Summary of All verifications I've completed on Linux systems around me

## Ubuntu Server 20.04 for RISC-V ( with Desktop UI Manager )

root@ubuntu:~# xz --version
xz (XZ Utils) 5.2.4
liblzma 5.2.4

## Ubuntu Server 20.04 for RISC-V ( without Desktop UI Manager )

root@ubuntu:~# xz --version
xz (XZ Utils) 5.2.4
liblzma 5.2.4

## Debian Server 13.2.0 for RISC-V ( without Desktop UI Manager )

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Attention
!!! XZ Utility Affected!
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

root@debian:~# xz --version
xz (XZ Utils) 5.6.0
liblzma 5.6.0

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Attention
!!! XZ Utility Manually Downgraded
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

root@debian:~# xz --version
xz (XZ Utils) 5.4.5
liblzma 5.4.5

## Fedora Server 33 for RISC-V ( without Desktop UI Manager )

root@fedora-riscv:~# xz --version
xz (XZ Utils) 5.2.5
liblzma 5.2.5

## Ubuntu Desktop 16.04 LTS for x86 64-bit ( for Xilinx FPGA R&Ds )

ubuntu@ubuntu-vm:~$ xz --version
xz (XZ Utils) 5.1.0alpha
liblzma 5.1.0alpha

## Ubuntu Desktop 18.04 LTS for x86 64-bit

ubuntu@ubuntu-vm:~$ xz --version
xz (XZ Utils) 5.2.2
liblzma 5.2.2

## Ubuntu Desktop 20.04 LTS for x86 64-bit

ubuntu@ubuntu-vm:~$ xz --version
xz (XZ Utils) 5.2.4
liblzma 5.2.4
 
Joined
Aug 20, 2007
Messages
21,539 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
As a matter of fact XZ utility and XZ archives are widely used! Here are examples:

[ Ubuntu RISC-V images ]
cdimage.ubuntu.com/releases/22.04.3/release/ubuntu-22.04.3-preinstalled-server-riscv64+unmatched.img.xz
cdimage.ubuntu.com/releases/22.04.2/release/ubuntu-22.04.2-preinstalled-server-riscv64+unmatched.img.xz

[ Fedora RISC-V images ]
dl.fedoraproject.org/pub/alt/risc-v/repo/virt-builder-images/images/Fedora-Developer-Rawhide-20200108.n.0-sda.raw.xz
dl.fedoraproject.org/pub/alt/risc-v/repo/virt-builder-images/images/Fedora-Minimal-Rawhide-20200108.n.0-sda.raw.xz

[ OpenSBI installs ]
github.com/riscv-software-src/opensbi/releases/download/v1.2/opensbi-1.2-rv-bin.tar.xz
github.com/riscv-software-src/opensbi/releases/download/v1.1/opensbi-1.1-rv-bin.tar.xz
github.com/riscv-software-src/opensbi/releases/download/v1.0/opensbi-1.0-rv-bin.tar.xz

[ Linux aarch64 hosted compilers and tools ]
ampere-9.3.0-20200410-nativetools.tar.xz
ampere-9.3.0-20200410-dynamic-nativetools.tar.xz

[ AMDGPU-Pro Beta Mining Driver version 17.40 for Linux ]
www2.ati.com/drivers/linux/beta/ubuntu/amdgpu-pro-17.40-483984.tar.xz
www2.ati.com/drivers/linux/beta/rhel/amdgpu-pro-17.40-483984.tar.xz
Gentoo is heavily addicted to xz as well.

This is seriously bad. Hopefully the community can filter out all the nefarious versions at the package manager.

If I were Andres Freund, I think I might be worried that I've pissed off the wrong people.
That is not how a security researcher thinks.
 
Joined
Feb 1, 2019
Messages
3,666 (1.71/day)
Location
UK, Midlands
System Name Main PC
Processor 13700k
Motherboard Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling Noctua NH-D15S
Memory 32 Gig 3200CL14
Video Card(s) 4080 RTX SUPER FE 16G
Storage 1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 2x 3TB WD Red, 2x 4TB WD Red
Display(s) LG 27GL850
Case Fractal Define R4
Audio Device(s) Soundblaster AE-9
Power Supply Antec HCG 750 Gold
Software Windows 10 21H2 LTSC
I agree this is going to be messy.
 
Top