The XZ Utility Backdoor

April 17th, 2024

Open-source software stands as both a beacon of collaboration and a potential Pandora’s Box. Its allure lies in transparency, community-driven development, and the promise of democratizing technology. However, it is this premise that also allows for bad actors to gain access to the code and try to introduce malicious code forall kinds of backdoors and vulnerabilities. Open-source projects need to have strict review processes to avoid such code and prevent bad actors from being able to do so without review. This has become increasingly relevant with recent events suchas with the xz utility vulnerability, which was introduced into the codebase and compromised a limited number Linux systems with a backdoor for remote code execution.

What is xz utils?

The Linux utility known as xz is part of a compression library for Unix based systems called liblzma, it allows for lossless compression and decompression using the lzma implementation. The liblzma library is an extremely popular open-source project that is included in many Linux distributions out-of-the-box, and is extensively used across enterprise Linux systems.

What happened?

On March 29th, 2024, open-source software developer Andres Freund reported that he had found a backdoor that granted remote shell (ssh) access to some Linux systems through the xz utility found inside the liblzma library versions 5.6.0 and 5.6.1. The backdoor allows for arbitrary remote code execution on the compromised machines.             

How does it work?

The xz utility vulnerability is composed of many parts, and some of them are only available on the release files and used during the build process of dependent projects. This means that the malicious code is complex and hidden across multiple changes, done in an obfuscated manner as to hide it from the community developers.

During the build process, a malicious script is run that decompresses two different "test" files. These are then extracted into obfuscated scripts which are executed, and the script replaces a function pointer of the OpenSSH library named RSA_public_decrypt with its own malicious version. This malicious version will allow the attacker with their valid private key to directly send commands and call it with the system() function. This allows allows for arbitrary remote code execution (a critical cyber threat) on vulnerable machines before authentication has occurred.

XZ Vulnerability Impact

Any compromised machines will permit the cyber threat actor to run any arbitrary code, which could lead to intrusion, data theft, or even data destruction on affected machines or the other machines that they interact with. However, this backdoor was accidentally discovered early, so only some machines which had very up-to-date beta releases of the library had the affected versions installed. It appears to target Debian-based and and RHEL-based machines that have xz utility versions 5.6.0 and 5.6.1; therefore, it is recommended to update these machines as soon as possible to avoid any issues. It would also be worthwhile to analyze the system logs for anomalies if you believe you had the compromised library version installed.

Although only certain machines are known to be affected by this vulnerability, it is possible that some unknown behaviors are yet to be discovered, and machines should be updated regardless of whether they are thought to be compromised. For example, according to the University of Michigan, MacOS Homebrew is being forcibly downgraded from versions 5.6.0 to version 5.4.6 as a precaution.

XZ Vulnerability Aftermath

The two core maintainers of this repository, "Lasse Collin" and "Jia Tan" were temporarily suspended from GitHub, and only Lasse was reinstated on 04/02/2024. Currently there are still many unknowns regarding the inner workings of the backdoor, and precautions need to be taken to prevent vulnerabilities. A complete review of the repository is currently underway to audit the rest of the source code. We should expect a clean version jump in the future that will clearly differentiate it from the malicious versions.

XZ Vulnerability Closing Thoughts

This vulnerability has received a lot of attention due to the high potential impact it could have reached if it were to pass beta releases and be installed globally on production Linux servers. Therefore, there are many takes on this case that point in opposite directions. Some people believe this is a great blow to the trust in open-source software, while others think this is great example of the open-source review system working as intended. The attention has brought a lot of skepticism towards open-source and as well as the reality of backdoors being a possibility on any library or repository. However, the prompt response on this very hidden backdoor vulnerability showcases how public auditing can help avoid malicious code (even if it was introduced due to its open-source nature).

The truth of the matter is that many people have realized that software backdoor access is a reality, and it has triggered alarms for the open-source community to be more cautious about code reviews and to closely monitor what gets accepted into the public repository. We must remain alert, but also understand that malicious code is bound to appear in any software so long as there is profit or other nefarious gain to be made. With open-source software, we have the opportunity to audit the code that we use; with proprietary software you may never know what happens behind the scenes until it's too late. Backdoors can happen in any software or library, and this event is a wakeup call for people to be conscious of every software they install on their servers and computers. 

If you have concerns that your machines may be compromised or just want an independent security review, get in touch with us today to schedule a vulnerability assessment. Our experts will work closely with you to identify potential sources of compromise and provide mitigating recommendations based on your company’s overall risk profile.