The open-source community was rattled in late March with the discovery of a critical backdoor vulnerability in XZ Utils, a widely used open-source data compression utility available on almost all installations of Linux and other Unix-like operating systems, specifically via use in OpenSSL. This malicious code, assigned CVE-2024-3094, could grant attackers remote control over affected Linux systems due to its integral role in data compression processes.

Technical Details

The attacker, operating under the alias Jia Tan, employed a multi-layered strategy:

  1. Trojan Horse: Malicious code was hidden within seemingly harmless patches. This code likely exploited a vulnerability in the build system or relied on obfuscation techniques to bypass initial code reviews.
  2. Gaining Trust: The attacker gained trust over an extended period by contributing legitimate code, making them appear as a valuable contributor, lowering scrutiny of their later submissions.
  3. IFUNC Hijacking: The backdoor reportedly leveraged In-Function Calls (IFUNC) within the GNU C library, allowing the attacker to inject malicious code and hijack legitimate functions, possibly targeting SSH authentication within OpenSSH.

The backdoor was cleverly disguised within the codebase of XZ Utils versions 5.6.0 and 5.6.1.

Impact

The backdoor disrupts the authentication in sshd via systemd, accessing the service that allows remote system access over the SSH protocol, potentially opening the door for attackers to compromise SSH authentication.

While initial reports suggested this was a SSH bypass vulnerability, further analysis suggests a more concerning capability – Remote Code Execution (RCE). The backdoor appears to be added to the SSH daemon on the impacted system, potentially allowing a remote attacker with a specific private key to send arbitrary code through SSH that would be executed before the standard authentication process, essentially granting them full control over the compromised system. This means that any system with the vulnerable package that exposes SSH to the internet is potentially vulnerable.

The Hidden Dangers of Using Open-Source Software

Supply-chain attacks are a severe and often overlooked issue, and open-source may turn out to be a double-edged sword. This finding highlights a widespread issue with open-source software – the complexity and opacity of dependencies. A wide array of software systems and applications incorporate open-source libraries, like XZ Utils, leading to a large network of dependencies that can be challenging to monitor and control.

Bundling several third-party libraries into a single application adds to this complexity, as it can obscure the full extent of how an application is vulnerable to newly discovered flaws. Consequently, it can be difficult to ascertain the scope of impacted systems following the disclosure of a vulnerability such as CVE-2024-3094. The longer it takes for vendors to realize their products are at risk, the more delays there will be in identifying vulnerabilities and releasing patches.

Looking Forward

Most Linux distributions weren't affected, but users should still update to patched versions and leverage scanners to identify vulnerable systems.

While this was caught early and the immediate threat appears contained, the implications are far-reaching. This incident might be one the best-executed supply chain attacks described in the open, and it serves as a reminder of the ever-evolving cyber threat landscape.