Why it matters: An accidental discovery by Microsoft researcher Andres Freund could’ve led to the unearthing of malicious code with potential to bypass sshd authentication, posing a serious threat to Linux. The open source community has acknowledged how this discovery, though accidental, came about just in time before it could compromise the wider Linux community.
Andres Freund, while doing his routine micro-benchmarking at Microsoft as a PostgreSQL developer, observed a minor 600ms delay with ssh processes. These processes were unexpectedly consuming a considerable amount of CPU though they were expected to fail quickly, per his
post on Mastodon.
Eventually, Freund became aware of a supply-chain attack involving obfuscated malicious code in the XZ package. He shared his findings on the
Open Source Security Mailing List and the information was picked up by the open source community.
I attempted to explain to my non-tech friends today that an engineer, who debugged a 500ms delay, could have saved the entire web or even the potential integrity of the entire civilization.
The dev community has quickly begun to understand how this attack was cleverly inserted into XZ utils, an open-source project that has been managed by a single, unpaid programmer since 2009 at least. The account linked to the suspect commits seems to have slowly won the trust of the XZ’s developer, sparking rumors that the malicious code’s creator could be an advanced attacker, even possibly linked to a state agency.
Officially known as CVE-2024-3094, it has the highest attainable CVSS score of 10. Red Hat reports that the harmful code changes functions in liblzma, a data compression library included in the XZ utils package that is integral to many leading Linux distributions.
Burnout among open-source maintainers is a serious, immediate security threat. What steps are we taking to address this? https://t.co/GZETWimy5i
The altered code can be used by any program that links to the XZ library, making it possible to intercept and alter data used with the library. According to Freund, under specific circumstances, this backdoor could enable a malevolent actor to bypass sshd authentication, allowing the attacker to access a compromised system. It was also reported by Freund that XZ utils versions 5.6.0 and 5.6.1 are affected.
The xz backdoor is causing a stir in the Linux community, but its setup is impressive: it included a 2-year maintainership, oss-fuzz, etc. We might not have known how long it would’ve stayed hidden if the injection into sshd code had been quicker (less than 600ms).
Red Hat found vulnerable packages in Fedora 41 and Fedora Rawhide and recommended users stop using them until an update is available. Red Hat Enterprise Linux (RHEL) wasn’t affected. SUSE updated openSUSE (Tumbleweed or MicroOS) for its users. Debian Linux’s stable versions are safe, but the testing, unstable, and experimental versions require xz-utils updates because of compromised packages. If you updated Kali Linux between March 26 and March 29, you should update again to get the fix, but if you updated before March 26, you aren’t impacted by this vulnerability.
Many security researchers note that the situation is still developing, and there could be more vulnerabilities. We don’t know what the payload was supposed to be yet. The US Cybersecurity and Infrastructure Security Agencyadvised people to go back to an uncompromised XZ utils version, earlier than 5.6.0. Security companies are also advising developers and users to do incident response testing to see if they were affected—if they were, they should report it to CISA.
Here is a summary of how the xz backdoor was found: pic.twitter.com/n9rNjvawHU
Fortunately it doesn’t appear as if those affected versions were incorporated into any production releases for major Linux distributions, but Will Dormann, a senior vulnerability analyst at security firm Analygence, told Ars Technica that this discovery was a close call. “Had it not been discovered, it would have been catastrophic to the world,” he said.
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
