A new analysis has revealed that the malicious code inserted into the open-source library XZ Utils, widely used in major Linux distributions, is capable of facilitating remote code execution. This supply chain compromise, tracked as CVE-2024-3094, was brought to light by Microsoft engineer and PostgreSQL developer Andres Freund.
Freund stumbled upon the backdoor while conducting micro-benchmarking, noticing an unusual amount of CPU usage by sshd processes. Further investigation led to the discovery of the backdoor in the data compression utility, which allows remote attackers to bypass secure shell authentication and gain complete access to an affected system.
XZ Utils is a command-line tool for compressing and decompressing data in Linux and other Unix-like operating systems. The backdoor code was introduced by a project maintainer named Jia Tan in what appears to be a meticulously planned attack spanning multiple years. The actor's identity remains unknown.
"The threat actor started contributing to the XZ project almost two years ago, slowly building credibility until they were given maintainer responsibilities," said a report by Akamai.
In a sophisticated act of social engineering, sockpuppet accounts were used to send feature requests and report issues in the software, prompting the addition of a new co-maintainer to the repository. Jia Tan introduced a series of changes to XZ Utils in 2023, which eventually made their way to release versions 5.6.0 and 5.6.1, both containing the backdoor.
"This is clearly a very complex state-sponsored operation with impressive sophistication and multi-year planning," commented a firmware security company, Binarly.
The backdoor allows specific remote attackers to send arbitrary payloads through an SSH certificate, which will be executed in a manner that circumvents authentication protocols. "This means that any machine with the vulnerable package that exposes SSH to the internet is potentially vulnerable," explained Akamai.
The accidental discovery of this backdoor is one of the most significant supply chain attacks to date and highlights the reliance on open-source software and the potential consequences of a compromise.
Kayla Underkoffler, lead security technologist at HackerOne, emphasized the importance of trust and transparency in the open-source ecosystem: "Trust and transparency are foundational to the collaboration that drives the open source ecosystem. The backdoor in XZ Utils was planted via social engineering — a deliberate breach of trust. Incidents like these cause a ripple effect beyond the technical impact of a vulnerability because when you harm the integrity of one open source project, you harm the trust and integrity of the entire ecosystem."
This incident underscores the need for organizations to adopt tools and processes that can identify signs of tampering and malicious features within both open source and commercial code used in their development pipeline. It also highlights the importance of supporting open-source project security through foundations like OpenSSF and programs like the Internet Bug Bounty.