XZ Utils Backdoor (CVE-2024-3094): Personal Notes

In a surprising discovery that’s set the tech world abuzz, a hidden backdoor was found in XZ Utils, a widely-used library that facilitates lossless data compression. Given its popularity across various Linux distributions and numerous applications on Linux and macOS, the implications of this discovery are significant.

The Essence of the Backdoor

At its core, this backdoor manipulates the decryption process of SSH RSA keys. It cleverly intercepts these operations, rerouting them through the backdoor’s own mechanisms. This breach permits attackers to insert special arguments into an SSH authentication procedure, thereby gaining the ability to execute arbitrary code on affected systems. This vulnerability is specifically present in versions of the XZ Utils library that have been compromised.

Affected Versions

The problematic code was pinpointed within versions 5.6.0 and 5.6.1 of XZ Utils. Alarmingly, these compromised versions were actively circulated for about a month before the issue was identified and brought to light.

Downstream Impact

The ripple effects of this discovery are vast, impacting a range of Linux distributions and, by extension, their user bases. Notably, Fedora (both the 40 Beta and Rawhide versions), Debian (Sid), openSUSE (Tumbleweed and MicroOS), Kali Linux (Rolling), Gentoo, and Arch Linux (Rolling) have all confirmed the inclusion of the backdoored versions in their distributions. While it remains unclear how many other distros might be affected, indications suggest a broad impact, extending to Alpine Linux, Gentoo, Slackware, PCLinuxOS, and more. Importantly, most affected distributions are in their development or unstable stages, which typically wouldn’t be used in production environments—hopefully limiting the scope of potential damage. Nevertheless, the macOS Homebrew package manager and OpenWRT router firmware were also caught up in this issue, indicating the backdoor’s wide-reaching consequences.

Discovery of the Backdoor

The credit for uncovering this backdoor goes to Andres Freund, a software engineer at Microsoft with development ties to the PostgreSQL project. Freund stumbled upon the issue after noticing an unusual uptick in CPU usage by the SSH daemon, which led to noticeable delays in SSH performance and login times. His subsequent investigation revealed the malicious code embedded within the XZ Utils library.

This discovery not only underscores the importance of vigilant software maintenance and the potential vulnerabilities that can lurk in even the most trusted tools but also highlights the ever-present need for the tech community to remain alert to security threats. As we navigate the aftermath of this revelation, the emphasis on rigorous software vetting and the swift rectification of such vulnerabilities has never been more critical.

Backdoor Timeline

One of my favorite Timelines on CVE-2024-3094 (XZ Backdoor) is the one made by Thomas Roccia and shared on his Mastodon. I decided to paste-it following for ease of reading.

As you might appreciate from the flowing, the used technique is quite sophisticated in term of supply-chain attack. It is almost clear the threat actor could not be an “amateur” since it has been planning the attack since 2022. In this scenario the threat actor used some very interesting skills:

Patience. “Patience is not simply the ability to wait, it’s how we behave while we’re waiting.” (Rif. Mayer)
Software development skill. Understanding a big opensource project such as libxma is not something every developer can do in such short amount of time. You need to be a senior software developer or a senior software engineer, you must know software architecture and you shall know how to interact with the community.
Social skill. Interacting with opensource community such as forums, mailing list, git commits and community tickets is something you cannot improvise. You should be a developer who is accustomed to interact with communities.
Malware development skills. The way the threat actor hid the malicious code into the libxma is just a masterpiece. It firstly used a corrupted compressed file as carrier and later a compressed but encoded file driving to a bash script executed to extract the final payload.
Threat Actor intent skill. In other words the actor would reduce the probability to be spotted so that he developed a whole system to create the backdoor during the building time on the installation host (victim). It would be much easier to inject malicious code directly on the hosting repository but he decided to perform an indirect attack.

Attribution

From my perspective, attributing such a threat actor is challenging with limited information. I would argue that this is not the work of an individual amateur attacker, considering the complexity and time investment required, which suggests a need for diverse skill sets. Conversely, attributing this cyber attack to a cyber gang, like a ransomware group, seems unlikely. They primarily pursue financial gain, and dedicating several months to a single supply chain attack, which appears unprofitable at this stage, doesn’t seem practical. There are far more lucrative malicious activities they could engage in. Hacktivism seems even less likely; typically, hacktivists target more immediate issues and aim to amplify their message quickly. This prolonged attack doesn’t align with the usual modus operandi of hacktivism. However, it closely matches the characteristics of espionage and long-term digital strategy, suggesting the involvement of a state-sponsored threat actor. Considering recent supply chain attacks, such as those on Okta, JetBrains, and MOVEit, it’s reasonable to surmise that the primary actors behind these operations are likely state-affiliated groups from countries like Russia and China. Consequently, there is a significant possibility that the threat actor is affiliated with such states. This consideration aligns with the patterns of sophisticated cyber operations that necessitate state-level resources, expertise, and the strategic intent often seen in the activities attributed to these nations. Given the complexity and scale of the operations in question, the involvement of state-sponsored entities cannot be overlooked.