Major Linux Distributions Impacted by XZ Utils Backdoor
Major Linux distributions have been impacted by a supply chain attack involving backdoored versions of the XZ Utils data compression library.
Microsoft software engineer Andres Freund, who discovered the backdoor, explains that the malicious code was introduced in the tarball download package in XZ Utils version 5.6.0 released in February 2024.
Version 5.6.1 was released shortly after with updated malicious code that included additional obfuscation and fixes for errors occurring in some configurations.
The code was designed to execute at the end of a script and modify the liblzma library, which is part of the XZ Utils package, to provide unauthenticated access to the system. Red Hat tracks the issue as CVE-2024-3094, with a CVSS score of 10/10.
“Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library,” Red Hat explains.
The backdoor interferes with authentication in sshd via systemd, tapping into the service that allows remote access to systems over the SSH protocol, potentially allowing attackers to break sshd authentication and gain access to the system.
“As attackers continue to evolve and vulnerabilities by design are becoming more of a norm, the CVE-2024-3094-xz supply chain attack only raises more red flags to ensure the perimeter is secured,” Dor Dali, Head of Security Research at Cyolo, told SecurityWeek.
“The vulnerability exposed a critical security risk, that ultimately grants attackers the ability to circumvent authentication protocols and access entire systems remotely,” Dali said. “The malicious code found shows how critical it is for organizations to follow best practices, including avoiding the exposure of SSH directly to the internet and implementing additional security measures.”
To date, the Linux distributions to have confirmed impact from the attack include Fedora Rawhide and Fedora Linux 40 beta (but not Red Hat Enterprise Linux), openSUSE Tumbleweed and openSUSE MicroOS, Kali Linux, and Arch Linux.
Debian and Ubuntu announced that no stable release included the backdoored packages, and Amazon Linux, Alpine Linux, Gentoo Linux, and Linux Mint are not affected.
Software supply chain company Binarly has released a free backdoor detector called XZ.fail that includes generic IFUNC implantation detection with close to zero false-positives. Binarly’s detection is based on behavioral analysis and can detect any invariants automatically if a similar backdoor is implanted somewhere else.
In addition, other security researchers have released a script that allows users to scan their systems to determine if they are using the malicious library.
A command line tool for compressing/decompressing .xz files, XZ Utils is used not only in various Linux distributions, but also as a dependency for other libraries, and this supply chain attack has wide implications.
“OpenSSH runs on almost 20 million IPs as of today, and is almost 10 times more prevalent than RDP (Remote Desktop Protocol). Had somebody successfully introduced a widely deployed backdoor, it would have been bad later,” security researcher Kevin Beaumont notes.
To hide itself, the backdoor uses a multi-stage loader, as well as a function that allows for updates to be deployed via additional files, so that the original XZ code changes remain intact.
The backdoor was introduced by Jia Tan, who became XZ Utils’ maintainer last year. His GitHub account, JiaT75, had contributed to other compression-related libraries as well.
After reducing the security protections on the project in late 2023 and updating the URL for the project to GitHub pages, Jia Tan modified the library to include the malicious code in early 2024. The threat actor also made a request to become a Linux kernel module maintainer for XZ Embedded.
According to Lasse Collin, the project’s original author, however, Jia Tan only had access to the GitHub repository, but not to the project’s website, Git repositories, and related files. GitHub has suspended both Collin’s and Tan’s accounts.
“It’s important to note that the attackers didn’t need to commit the malicious code to the public repository. Modifying the release tarball hosted on GitHub and used by Linux distros to build packages would have been sufficient. Committing the code was likely done to make the tarball changes appear less suspicious,” Coinspect CEO and founder Juliano Rizzo notes.
Because the malicious code was included in XZ Utils versions 5.6.0 and 5.6.1, reverting the affected packages to use the 5.4.x versions of the library eliminates the backdoor. XZ Utils 5.4.6 is the latest stable, uncompromised iteration.
The US cybersecurity agency CISA advised developers and users to downgrade XZ Utils to a clean version and to check their systems for any malicious activity.
Looking for in-depth cybersecurity tips with analysis of the latest threats and scams? Subscribe to our premium newsletter for the information you need to stay secure. Plus get a free copy of our popular "Cybersecurity Starter Guide" to enable you to discover how to keep your systems secure.
Headlines
News
- Threat Actors Deliver Malware via YouTube Video Game Cracks
Many types of video games appear to be targeted to younger users including games popular with children, a group that is less likely to be able to identify malicious content and risky online behaviors.
- Pixel Update Bulletin—April 2024 | Android Open Source Project
A total of 24 vulnerabilities leading to elevation of privilege (EoP) and information disclosure were addressed in various Pixel components, and another was resolved in Qualcomm components.
- Highly sensitive files mysteriously disappeared from EUROPOL headquarters
The disappearance of the personal files of EUROPOL officials poses a serious risk to the impacted individuals and the agency’s operations, including its investigations. EUROPOL notified the impacted individuals and the EDPS.
- Update: INC Ransom Claims 'Cyber Incident' at UK City Council
The cybercriminals behind INC Ransom are claiming responsibility for the ongoing cybersecurity incident at Leicester City Council, according to a post caught by security researchers.
- Escalating Malware Tactics Drive Global Cybercrime Epidemic
Evasive, basic, and encrypted malware all increased in Q4 2023, fuelling a rise in total malware, according to WatchGuard. The average number of malware detections rose 80% from the previous quarter.
- Report: 17 Billion Personal Records Exposed in Data Breaches in 2023
Reported data breach incidents rose by 34.5% in 2023, with over 17 billion personal records compromised throughout the year, according to Flashpoint’s 2024 Global Threat Intelligence Report.
- Researchers Dissect Infostealer Malware Targeting macOS Users
The ongoing infostealer attacks targeting macOS users may have adopted different methods to compromise victims' Macs, but operate with the end goal of stealing sensitive data, Jamf Threat Labs said in a report published Friday.
- Update: AT&T Confirms Data for 73 Million Customers Leaked on Hacker Forum
While the company continues to say there is no indication their systems were breached, it has now confirmed that the leaked data belongs to 73 million current and former customers.
Are you looking to keep ahead of security threats? Subscribe to our premium monthly newsletter for in-depth cybersecurity tips and analysis of the latest threats and scams. New subscribers get a free copy of our Cybersecurity Starter Guide.
Were you forwarded this email? Sign up here to receive this email weekly in your inbox.
|
