A newly discovered backdoor found in the xz liblzma library of XZ Utils, the XZ format compression utilities included in most Linux distributions, targets the RSA implementation of OpenSSH.
For those outside of tech, that sentence was an unreadable jumble of acronyms. For those inside tech, a chill probably ran down their spine, as those technologies are everywhere. Anytime anyone buys something online, they’re going to be using SSH to create a secure channel to pass transaction information. [As a commenter noted, SSH is a command tool rather than Secure Socket Layer (SSL), which is used for encrypted transactions. Mental typo. My bad. – LP.] Depending on how many distros are using that library, the consequence range from “bad” to “really, really bad.”
A vulnerability (CVE-2024-3094) in XZ Utils, the XZ format compression utilities included in most Linux distributions, may “enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely,” Red Hat warns.
The cause of the vulnerability is actually malicious code present in versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) of the xz libraries, which was accidentally found by Andres Freund, a PostgreSQL developer and software engineer at Microsoft.
“After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer: The upstream xz repository and the xz tarballs have been backdoored,” he shared via the oss-security mailing list.
According to Red Hat, the malicious injection in the vulnerable versions of the libraries is obfuscated and only included in full in the download package.
“The Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present,” they added.
“The resulting malicious build interferes with authentication in sshd via systemd.”
I’m just going to note for the record that a whole lot of longtime Linux programmers absolutely hated the introduction of systemd. I don’t have deep enough Linux chops to take a side in this controversy, or know whether systemd was a significant factor in allowing the exploit to work.
Moving on:
The malicious script in the tarballs is obfuscated, as are the files containing the bulk of the exploit, so this is likely no accident.
“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system. Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the “fixes” [for errors caused by the injected code in v5.6.0],” Freund commented.
One silver lining is that the problem doesn’t look to be as widespread as it could be.
“Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by Linux distributions, and where they have, mostly in pre-release versions.”
Red Hat says that the vulnerable packages are present in Fedora 41 and Fedora Rawhide, and have urged users of those distros to immediately stop using them.
“If you are using an affected distribution in a business setting, we encourage you to contact your information security team for next steps,” they said, and added that no versions of Red Hat Enterprise Linux (RHEL) are affected.
Since Red Hat is usually the default for big E-commerce platforms, it looks like this exploit is merely “bad” rather than “really, really bad,” which means its not nearly as bad as, say, Log4J was. Your Amazons and eBays are probably safe from the exploit.
The people who are likely going to be hurt by this exploit are mom and pop E-commerce sites using their webhost’s “build an E-commerce site using these easy tools” feature. The smaller the site, the more likely they’re using a free distro, some of which may have this vulnerability.
Whatever the site, they should run an updated software composition analysis tool on stacks and build-chains to see if they’re vulnerable.
Tags: backdoor, Crime, Git, hacking, Linux, Microsoft, Red Hat, RSA, SSH, technology
Two thoughts – NSA paid RSA Data Security $30M to back door the BSAFE crypto library, and NSA gave bogus elliptic curve parameters to weaken TLS.
And the maintainer of the xz repository is unpaid, “suffers from mental health issues,” and does it as a hobby. It’s hard to think of a better target for subversion.
You can count me among the systemd haters. I think the big distro maintainers use it because it makes things like power-off when a laptop lid closes work across all manner of chipsets and saves them from the chore of troubleshooting user complaints about some Dell built from GodKnowsWhat chipset some supply manager got for cheap but patched the Windows driver for. (These laptops’ drivers often break after a few years with Windows update, too.) And systemd breaks things like the apm command line tools, so you are forced to do everything the systemd way.
Maybe this event will be scandalous enough for people to get serious about alternatives to systemd, or at least put that beast on a diet and reduce it to something more appropriate in scope.
[…] Does Malicious Backdoor Compromise SSH? “For those outside of tech, that sentence was an unreadable jumble of acronyms. For those […]
FYI that SSL is the secure channel to pass transaction data. SSH is an encrypted command line login that could have the RSA encryption co-opted. It was the SSH remote login that was being back-doored.
I love the fact that this was discovered by someone trying to figure out a latency problem. Shades of Clifford Stoll and his fifty cent billing discrepancy.
This post is disturbingly inaccurate. Please consider rewriting because you are usually way better
As noted above the backdoor had nothing to do with SSL aka TLS which is the s in https of web pages.
SSH is how people get a terminal session on a remote linux server. This would have been a very very bad thing if it had managed to get in to mainstream linux distros but it would not have impacted every visitor to a website.
Second it has absolutely nothing to do with systemd. Systemd has issues and I am not entirely happy with how systemd has been implemented but this backdoor has no connection to systemd at all other than it is also a piece of opensource code for linux systems
Hit submit too soon.
Yes systemd is involved in the exploitation of this bug. That’s because systemd is essentially involved in everything to do with network traffic and authentication and so on. It’s like saying a problem with a car crashing has to do with the wheels instead of “is due to a puncture in the driver side front tire”
I was told by a Big Tech DEI coach that intellectual curiosity, persistence, hard work, attention to detail, and completeness were all symptoms of systemic racism instead of systemic integrity. The Microsoft engineer who discovered this backdoor had better lay low for a while.