The latest analysis has uncovered that a malicious code has been inserted into the widely used open-source library XZ Utils found in major Linux distributions. This code has the capability to allow remote code execution.
The supply chain compromise, known as CVE-2024-3094 (CVSS score: 10.0), was brought to the attention of the public when Andres Freund, a Microsoft engineer and PostgreSQL developer, alerted to the presence of a backdoor in XZ Utils. This backdoor allows remote attackers to bypass secure shell authentication and gain full access to the system.
XZ Utils is a command-line tool used for compressing and decompressing data in Linux and other Unix-like operating systems.
The malicious code was intentionally added by one of the project maintainers named Jia Tan (also known as Jia Cheong Tan or JiaT75). The attack seems to have been carefully planned over several years. The account was created in 2021, and the actor(s) responsible for this attack remain unknown.
A report from Akamai stated, “The threat actor started contributing to the XZ project almost two years ago, slowly building credibility until they were given maintainer responsibilities.”
Furthermore, it was revealed that sockpuppet accounts like Jigar Kumar and Dennis Ens were used to send feature requests and report issues in the software, ultimately leading to the addition of a new co-maintainer, Jia Tan, to the repository.
Jia Tan introduced a series of changes to XZ Utils, which were included in the February 2024 release version 5.6.0. These changes also contained a sophisticated backdoor.
In an email exchange in June 2022, Lasse Collin expressed that Jia Tan may have a bigger role in the project in the future, hinting at the ongoing changes in maintainership for XZ Utils.
The backdoor affects XZ Utils 5.6.0 and 5.6.1 release tarballs, with the latter containing an improved version of the same implant. Collin has acknowledged the breach and confirmed that the tarballs were created and signed by Jia Tan, who only had access to the now-disabled GitHub repository.
Binarly, a firmware security company, described this as a complex state-sponsored operation with impressive sophistication and multi-year planning.
Filippo Valsorda’s analysis of the backdoor has revealed that specific remote attackers can send arbitrary payloads through SSH certificates to take control over a victim machine.
Akamai highlighted that the backdoor allows a remote attacker with a specific private key to hijack the SSH daemon and execute malicious commands.
This discovery by Freund is a significant supply chain attack, emphasizing the dedication of the attacker to establish themselves as a legitimate maintainer and avoid detection using various OSS projects.
Similar to the Apache Log4j case, this incident underscores the reliance on open-source software and volunteer-run projects, emphasizing the need for organizations to adopt tools and processes to detect malicious features in code.
