– Mar 29, 2024 6:50 pm UTC
Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.
The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions—specifically, in Fedora 40 and Fedora Rawhide and Debian testing, unstable and experimental distributions. A stable release of Arch Linux is also affected. That distribution, however, isn’t used in production systems.
Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it’s not really affecting anyone in the real world,” Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview. “BUT that’s only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”
Reports have surfaced that several apps within the HomeBrew package manager for macOS are dependent on a compromised 5.6.1 version of xz Utils. In response, HomeBrew has reverted to the 5.4.6 version of the utility. Further information is available here.
The initial signs of the backdoor were spotted in an update on February 23 that added encrypted code, according to officials from Red Hat. The next update incorporated a malevolent install script that embedded itself into sshd functions, the binary file crucial to SSH’s functioning. This malefic code has been restricted to the archive releases, known as tarballs, which are upstream releases. The GIT code remains unaffected in repositories, although they do possess secondary stage artifacts that enable the injection during build time. If the encrypted code added on February 23 exists, these artifacts allow the backdoor to function in the GIT version.
The harmful alterations were proposed by JiaT75, a chief xz Utils developer with a considerable history of contributions to the project.
An official with OpenWall, the distributor, mentioned in an advisory that either the committer is directly involved or their system was severely compromised. The latter assumption seems less probable since they communicated about the ‘fixes’ in recent updates. You can find these updates and fixes here, here, here, and here.
On Thursday, a user identifying as the developer requested on a Ubuntu forum for the compromised version 5.6.1 to be integrated into the operational versions stating it resolved certain bugs causing a tool called Valgrind to not operate correctly.
The individual cautioned, using a newly created account, that there could be potential disruptions to build scripts and test flows which rely on specific output from Valgrind to be successful.
A maintainer for Fedora reported on Friday being contacted by this supposed developer in the preceding weeks, with a proposal to incorporate one of these compromised utility versions into Fedora 40, an upcoming release.
The Ubuntu maintainer mentioned collaborating with him to address the Valgrind issue. However, it is now believed that the problem was a result of the sinister backdoor the individual had embedded.
His involvement in the xz project spans two years, during which he has contributed numerous binary test files. Such level of expertise raises suspicions that extend to even earlier xz versions until evidence suggests otherwise.
It seems that the administrators for the xz Utils are yet to respond to emails requesting clarification.
Interestingly, the discovered harmful versions appear to deliberately disrupt SSH, a commonly used protocol for remote system access, during its authentication processes. SSH incorporates advanced encryption algorithms designed to ensure that only those with proper authorization can access a system. The deployed backdoor is skillfully created to allow an attacker to bypass this authentication and secure unauthorized entry into the entire system. This is achieved by injecting code at a critical stage of the login sequence.
Freund states, “I am yet to fully comprehend what the injected code checks for allowing unauthorized access. Given that it operates in a pre-authentication environment, it would appear to provide some form of access or may allow remote code execution.”
In certain scenarios, the backdoor doesn’t operate as expected. There are inconsistencies in the Fedora 40 build setting that hinder the injection from happening correctly. Fedora 40 has now reverted to the 5.4.x versions of xz Utils.
xz Utils is accessible for almost all Linux distributions, although not all of them have it included as a default. Every Linux user should consult with their distributor right away to check if their system is at risk. Freund has provided a script that can detect if an SSH system is susceptible.
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
