In February 2024, a malicious

backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so tit ...

was introduced to the Linux build of the xz utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name "Jia Tan". The backdoor gives an attacker who possesses a specific

Ed448 In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature scheme ...

private key

remote code execution In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwar ...

through OpenSSH on the affected Linux system. The issue has been given the

Common Vulnerabilities and Exposures The Common Vulnerabilities and Exposures (CVE) system, originally Common Vulnerability Enumeration, provides a reference method for publicly known information security, information-security vulnerability (computing), vulnerabilities and exposures ...

number and has been assigned a

CVSS The Common Vulnerability Scoring System (CVSS) is a technical standard for assessing the severity of vulnerabilities in computing systems. Scores are calculated based on a formula with several metrics that approximate ease and impact of an exploi ...

score of 10.0, the highest possible score. While xz is commonly present in most

Linux distributions A Linux distribution, often abbreviated as distro, is an operating system that includes the Linux kernel for its kernel (operating system), kernel functionality. Although the name does not imply distribution (marketing), product distribution pe ...

, at the time of discovery the backdoored version had not yet been widely deployed to

production Production may refer to: Economics and business * Production (economics) * Production, the act of manufacturing goods * Production, in the outline of industrial organization, the act of making products (goods and services) * Production as a stat ...

systems, but was present in development versions of major distributions. The backdoor was discovered by the software developer Andres Freund, who announced his findings on 29 March 2024.

Background

Microsoft employee and

PostgreSQL PostgreSQL ( ) also known as Postgres, is a free and open-source software, free and open-source relational database management system (RDBMS) emphasizing extensibility and SQL compliance. PostgreSQL features transaction processing, transactions ...

developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid. Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in

Valgrind Valgrind () is a programming tool for memory debugging, memory leak detection, and profiling. Valgrind was originally designed to be a freely licensed memory debugging tool for Linux on x86, but has since evolved to become a generic framework ...

, a memory debugging tool. Freund reported his finding to

Openwall Project The Openwall Project is a source for various software, including Openwall GNU/*/Linux (Owl), a security-enhanced Linux distribution designed for servers. Openwall Patch (computing), patches and security extensions have been included into many ma ...

's open source security mailing list, which brought it to the attention of various software vendors. The attacker made efforts to obfuscate the code, as the backdoor consists of multiple stages that act together. Once the compromised version is incorporated into the operating system, it alters the behavior of OpenSSH's

SSH The Secure Shell Protocol (SSH Protocol) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH was designed for Un ...

server daemon by abusing the

systemd systemd is a software suite that provides an array of system components for Linux operating systems. The main aim is to unify service configuration and behavior across Linux distributions. Its primary component is a "system and service manage ...

library, allowing the attacker to gain administrator access. According to the analysis by

Red Hat Red Hat, Inc. (formerly Red Hat Software, Inc.) is an American software company that provides open source software products to enterprises and is a subsidiary of IBM. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North ...

, the backdoor can "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely". A subsequent investigation found that the campaign to insert the backdoor into the

XZ Utils XZ Utils (previously LZMA Utils) is a set of free software command-line lossless data compressors, including the programs lzma and xz, for Unix-like operating systems and, from version 5.0 onwards, Microsoft Windows. For compression/decompre ...

project was a culmination of approximately three years of effort, between November 2021 and February 2024, by a user going by the name ''Jia Tan'' and the nickname JiaT75 to gain access to a position of trust within the project. After a period of pressure on the founder and head maintainer to hand over the control of the project via apparent sock puppetry, ''Jia Tan'' gained the position of co-maintainer of

and was able to sign off on version 5.6.0, which introduced the backdoor, and version 5.6.1, which patched some anomalous behavior that could have been apparent during software testing of the operating system. Some of the suspected sock puppetry pseudonyms include accounts with usernames like ''Jigar Kumar'', ''krygorin4545'', and ''misoeater91''. It is suspected that the names ''Jia Tan'', as well as the supposed code author ''Hans Jansen'' (for versions 5.6.0 and 5.6.1), are pseudonyms chosen by the participants of the campaign. Neither have any sort of visible public presence in software development beyond the short few years of the campaign. The backdoor was notable for its level of sophistication and for the fact that the perpetrator practiced a high level of

operational security Operations security (OPSEC) is a process that identifies critical information to determine whether friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to th ...

for a long period of time while working to attain a position of trust. American security researcher

Dave Aitel Dave Aitel (born 1976) is a computer security professional. He joined the NSA as a research scientist aged 18 where he worked for six years before being employed as a consultant at @stake for three years. In 2002 he founded a security software co ...

has suggested that it fits the pattern attributable to

APT29 Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American i ...

, an advanced persistent threat actor believed to be working on behalf of the

Russia Russia, or the Russian Federation, is a country spanning Eastern Europe and North Asia. It is the list of countries and dependencies by area, largest country in the world, and extends across Time in Russia, eleven time zones, sharing Borders ...

n Foreign Intelligence Service (SVR). Journalist Thomas Claburn suggested that it could be any state actor or a non-state actor with considerable resources.

Mechanism

The malicious code is known to be in 5.6.0 and 5.6.1 releases of the XZ Utils software package. The exploit remains dormant unless a specific third-party patch of the SSH server is used. Under the right circumstances this interference could potentially enable a malicious actor to break sshd

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...

and gain unauthorized access to the entire system remotely. The malicious mechanism consists of two compressed test files that contain the malicious binary code. These files are available in the

git repository Git () is a distributed version control system that tracks versions of files. It is often used to control source code by programmers who are developing software collaboratively. Design goals of Git include speed, data integrity, and support ...

, but remain dormant unless extracted and injected into the program. The code uses the

glibc The GNU C Library, commonly known as glibc, is the GNU Project implementation of the C standard library. It provides a wrapper around the system calls of the Linux kernel and other kernels for application use. Despite its name, it now also dir ...

IFUNC mechanism to replace an existing function in OpenSSH called with a malicious version. OpenSSH normally does not load liblzma, but a common third-party patch used by several Linux distributions causes it to load libsystemd, which in turn loads lzma. A modified version of was included in the release tar file uploaded on

GitHub GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...

, which extracts a script that performs the actual injection into . This modified m4 file was not present in the git repository; it was only available from tar files released by the maintainer separate from git. The script appears to perform the injection only when the system is being built on an

x86-64 x86-64 (also known as x64, x86_64, AMD64, and Intel 64) is a 64-bit extension of the x86 instruction set architecture, instruction set. It was announced in 1999 and first available in the AMD Opteron family in 2003. It introduces two new ope ...

Linux system that uses glibc and GCC and is being built via

dpkg dpkg is the software at the base of the package management system in the free software, free operating system Debian and its numerous Debian family, derivatives. dpkg is used to install, remove, and provide information about deb (file format), . ...

rpm Revolutions per minute (abbreviated rpm, RPM, rev/min, r/min, or r⋅min−1) is a unit of rotational speed (or rotational frequency) for rotating machines. One revolution per minute is equivalent to hertz. Standards ISO 80000-3:2019 def ...

Response

Remediation

The US federal

Cybersecurity and Infrastructure Security Agency The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cyber ...

has issued a security advisory recommending that the affected devices should roll back to a previous uncompromised version. Linux software vendors, including Red Hat,

SUSE Suse may refer to: * Fort Suse, a military installation in the Kurdistan region of Iraq * Suse Heinze (1920–2018), German diver See also * SUSE (disambiguation) * Sus (disambiguation) * Susa, an ancient capital of Elam and the Achaemenid Emp ...

, and

Debian Debian () is a free and open-source software, free and open source Linux distribution, developed by the Debian Project, which was established by Ian Murdock in August 1993. Debian is one of the oldest operating systems based on the Linux kerne ...

, have reverted the affected packages to older versions.

disabled the mirrors for the xz repository before subsequently restoring them.

Canonical The adjective canonical is applied in many contexts to mean 'according to the canon' the standard, rule or primary source that is accepted as authoritative for the body of knowledge or literature in that context. In mathematics, ''canonical exampl ...

postponed the

beta release The software release life cycle is the process of developing, testing, and distributing a software product (e.g., an operating system). It typically consists of several stages, such as pre-alpha, alpha, beta, and release candidate, before the fi ...

of Ubuntu 24.04 LTS and its flavours by a week and opted for a complete binary rebuild of all the distribution's packages. Although the stable version of Ubuntu was not affected,

upstream Upstream may refer to: * Upstream (hydrology), the direction towards the source of a stream (against the direction of flow) * Upstream (bioprocess), part of therapeutic cell manufacturing processes from early cell isolation and cultivation until ...

versions were. This precautionary measure was taken because Canonical could not guarantee by the original release deadline that the discovered backdoor did not affect additional packages during compilation.

Broader response

Computer scientist

Alex Stamos Alex Stamos (born 1979) is an American, cybersecurity expert, the former chief security officer (CSO) at Facebook. His planned departure from the company, following disagreement with other executives about how to address the Russian government's ...

opined that "this could have been the most widespread and effective backdoor ever planted in any software product", noting that had the backdoor remained undetected, it would have "given its creators a master key to any of the hundreds of millions of computers around the world that run SSH". In addition, the incident also started a discussion regarding the viability of having critical pieces of

cyberinfrastructure United States federal government agencies use the term cyberinfrastructure to describe research environments that support advanced data acquisition, data storage, data management, data integration, data mining, data visualization and other computin ...

depend on unpaid volunteers.

Notes

References

External links

* {{Hacking in the 2020s 2024 in computing March 2024 Hacking in the 2020s Computer security exploits Internet security Kleptography Social engineering (security) Trojan horses