First Page Design
Site Theme
On Friday, a single Microsoft developer rocked the world when it revealed that a backdoor had been deliberately implanted in xz Utils, an open-source data compression application available on nearly every installation of Linux and other Unix-like operating systems. The people who performed this task probably spent years there. They were probably about to see the backdoor update merge with Debian and Red Hat, the two largest Linux distributions, when an eagle-eyed software developer spotted something suspicious.
Investigators spent the weekend looking for combined clues. Here’s what we know so far.
What is xz Utils?
xz Utils is almost ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, and add Linux. xz Utils provides critical functions for compressing and decompressing knowledge in all types of operations. This component is even more crucial.
What happened?
Andres Freund, a developer and engineer who works with Microsoft’s PostgreSQL offerings, recently solved functionality issues with a Debian formula with SSH, the most widely used protocol for remotely connecting to devices over the Internet. Specifically, SSH connections consumed too many CPU cycles and generated errors with valgrind, an application for tracking computer memory.
Thanks to luck and Freund’s good eyesight, he eventually discovered that the disorders were the result of updates made to xz Utils. On Friday, Freund went to the Open Source Security List to reveal that the updates were the result of deliberately implanting a backdoor in the compression software.
It’s hard to overstate the complexity of social engineering and the inner workings of the backdoor. Thomas Roccia, a researcher at Microsoft, has posted a chart on Mastodon that visualizes the extent of the maximum successful effort to propagate a backdoor with a reach that would have eclipsed the SolarWinds 2020 event.
What is the backdoor used for?
The malicious code added to versions 5. 6. 0 and 5. 6. 1 of xz Utils replaced the way the software works. The backdoor manipulated sshd, the executable registry used to identify remote SSH connections. Anyone with a default encryption key can buy any code they are looking for. on an SSH login certificate, download and run it on the device with a backdoor. No one saw the downloaded code, so it’s unclear what code the attacker planned to run. In theory, code can allow almost anything. adding stolen encryption keys or installing malware.
Wait, how can a compression app take care of a procedure as security-sensitive as SSH?
Any library can fine-tune the inner workings of any executable to which it is linked. Often, the developer of the executable will link to a library that is mandatory for it to work properly. OpenSSH, the most popular sshd implementation, does not bind the liblzma library, however, Debian and many other Linux distributions load a patch to bind sshd to formulad, a program that offers a wide variety of functions when the formula is launched. Systemd, in turn, is linked to liblzma, allowing xz Utils to exert over sshd. .
How did this backdoor come about?
It would seem that this backdoor has been years in the making. In 2021, a user with the username JiaT75 made their first known participation in an open-source task. In hindsight, the substitution of the libarchive task is suspect, as it replaced safe_fprint It serves as a variant that has long been identified as less secure. No one detected it at the time.
The following year, JiaT75 sent a patch to the xz Utils mailing list, and almost immediately, an invisible player named Jigar Kumar joined the discussion and argued that Lasse Collin, who had maintained xz UtilsArray for a long time, had not been updated. Update the software or fairly quickly. Kumar, with the help of Dennis Ens and several others who had never been on the list, pressured Collin to hire another developer to keep the task going.
In January 2023, JiaT75 made his first appearance at xz Utils. In the following months, JiaT75, who used the name Jia Tan, became more and more preoccupied with the affairs of xz Utils. For example, Tan replaced Collins’ touch data with his own. In OSS-Fuzz, a task that scans open-source software for vulnerabilities that can be exploited. Tan also asked oss-fuzz to disable ifunc as a test, an update that prevented it from detecting malicious tweaks it would soon be making in xz utilities.
In February of this year, Tan released commits for versions 5. 6. 0 and 5. 6. 1 of xz Utils. The updates implemented the backdoor. In the weeks that followed, Tan and others asked developers at Ubuntu, Red Hat, and Debian to merge the updates. on their operating systems. Finally, one of the two updates came to the following versions, for the security company Tenable:
Here it’s all about Tan and the timeline.
Join the Ars Orbital Transmission email to receive weekly updates in your inbox. Sign up →