“Test files” associated with the XZ Utils backdoor have been discovered in a Rust crate called liblzma-sys, according to new findings from Phylum.
liblzma-sys, which has been downloaded over 21,000 times, provides Rust developers with bindings to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The affected version is 0.3.2.
“The current distribution (v0.3.2) on Crates.io contains the test files for XZ that contain the backdoor,” Phylum noted in a GitHub issue raised on April 9, 2024.
“The test files themselves are not included in either the .tar.gz nor the .zip tags here on GitHub and are only present in liblzma-sys_0.3.2.crate that is installed from Crates.io.”
After responsible disclosure, the files (“tests/files/bad-3-corrupt_lzma2.xz” and “tests/files/good-large_compressed.lzma”) have been removed from liblzma-sys version 0.3.3, released on April 10. The previous version of the crate has been removed from the registry.
“The malicious tests files were committed upstream, but due to the malicious build instructions not being present in the upstream repository, they were never called or executed,” Snyk said in an advisory.
The XZ Utils backdoor was uncovered in late March, with the malicious commits impacting versions 5.6.0 and 5.6.1 of the command-line utility. These versions were released in February and March 2024, respectively.
The code changes made by a GitHub user named JiaT75 enabled the bypassing of authentication controls within SSH for remote code execution, allowing attackers to potentially take over the system.
The operation, spanning over two years, involved introducing trojanized changes into the build infrastructure to smuggle malicious code into legitimate packages shipped to Linux repositories.
The backdoor in liblzma aims to manipulate SSHD to monitor and intercept commands sent by attackers at the start of an SSH session, enabling remote code execution.
This incident highlights the risks associated with software supply chain attacks targeting open-source package maintainers.
Overall, the backdoor installation and the subsequent enhancements suggest a highly sophisticated and coordinated attack, potentially involving multiple entities.
The restored source code repository for XZ Utils on GitHub indicates that the situation is being addressed, with ongoing investigations into the attribution and motives behind the attack.
It’s crucial for the cybersecurity community to remain vigilant and proactive in detecting and mitigating such threats.
