SUPPLY CHAIN ATTACK

Backdoor found in widely used Linux utility targets encrypted SSH connections

Malicious code planted in xz Utils has been circulating for more than a month.

Dan Goodin – Mar 29, 2024 6:50 PM | 237

Internet Backdoor in a string of binary code in a shape of an eye. Credit: Getty Images

Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.

The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions—specifically, in Fedora Rawhide and Debian testing, unstable and experimental distributions. A stable release of Arch Linux is also affected. That distribution, however, isn't used in production systems.

Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it's not really affecting anyone in the real world,” Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview. “BUT that's only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”

Several people, including two Ars readers, reported that the multiple apps included in the HomeBrew package manager for macOS rely on the backdoored 5.6.1 version of xz Utils. HomeBrew has now rolled back the utility to version 5.4.6. Maintainers have more details available here.

Ars Video

Targeting sshd

The first signs of the backdoor were introduced in a February 23 update that added obfuscated code, officials from Red Hat said in an email. An update the following day included a malicious install script that injected itself into functions used by sshd, the binary file that makes SSH work. The malicious code has resided only in the archived releases—known as tarballs—which are released upstream. So-called GIT code available in repositories aren’t affected, although they do contain second-stage artifacts allowing the injection during the build time. In the event the obfuscated code introduced on February 23 is present, the artifacts in the GIT version allow the backdoor to operate.

The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund wrote. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here.

On Thursday, someone using the developer's name took to a developer site for Ubuntu to ask that the backdoored version 5.6.1 be incorporated into production versions because it fixed bugs that caused a tool known as Valgrind to malfunction.

“This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass,” the person warned, from an account that was created the same day.

One of maintainers for Fedora said Friday that the same developer approached them in recent weeks to ask that Fedora 40, a beta release, incorporate one of the backdoored utility versions.

“We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added),” the Ubuntu maintainer said. "He has been part of the xz project for two years, adding all sorts of binary test files, and with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise."

Maintainers for xz Utils didn’t immediately respond to emails asking questions.

The malicious versions, researchers said, intentionally interfere with authentication performed by SSH, a commonly used protocol for connecting remotely to systems. SSH provides robust encryption to ensure that only authorized parties connect to a remote system. The backdoor is designed to allow a malicious actor to break the authentication and, from there, gain unauthorized access to the entire system. The backdoor works by injecting code during a key phase of the login process.

“I have not yet analyzed precisely what is being checked for in the injected code, to allow unauthorized access,” Freund wrote. “Since this is running in a pre-authentication context, it seems likely to allow some form of access or other form of remote code execution.”

[Update: Researchers who spent the weekend reverse engineering the updates say that the backdoor injected malicious code during SSH operations, rather than bypassed authenticatiion.]

In some cases, the backdoor has been unable to work as intended. The build environment on Fedora 40, for example, contains incompatibilities that prevent the injection from correctly occurring. Fedora 40 has now reverted to the 5.4.x versions of xz Utils.

Xz Utils is available for most if not all Linux distributions, but not all of them include it by default. Anyone using Linux should check with their distributor immediately to determine if their system is affected. Freund provided a script for detecting if an SSH system is vulnerable.

Listing image: Getty Images

Dan Goodin Senior Security Editor

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

237 Comments

Staff Picks

adamsc

Oh, so having one init to rule them all and take over every function of your system was a great idea right?

Please take the systemd trolling back to Reddit. The only connection here is that they call sd_notify to report when the process is healthy so the systemd status is accurate and can be used to trigger other things:

https://salsa.debian.org/ssh-team/openssh/-/blob/master/debian/patches/systemd-readiness.patch
… and to support the socketd activation mode where sshd does not need elevated permissions so it can listen to a privileged port:

https://salsa.debian.org/ssh-team/o...ebian/patches/systemd-socket-activation.patch
Both of those are reasonable features, one of which is a security improvement, and all your trolling is doing is distracting from a carefully premeditated attack which could have been carried out against almost anything. The reason they picked xz is no doubt because it's popular and widely used. If that didn't exist, they could have picked one of the 40-odd other packages it depends on or found something else.

March 29, 2024 at 8:25 pm

While this is particularly pernicious in open source since anybody can see the code, who contributed, etc., I don't believe it would be difficult to do this with corporate code.

With a little social engineering you could figure out who works on what bits of Windows and/or OSX.

With the right convincing said developer could sneak code into those projects. Particularly if they're messing with macros, changing flags to valgrind or its equivalent, etc.

Yeah, my point wasn't that closed source is better but simply that open source projects are exposed because there are many projects which are widely used, accept contributions from anyone on the internet, but have only a handful of maintainers. Microsoft doesn't accept pull requests for Windows on GitHub but if they did, they'd also have the budget to hire people whose full-time job would be to review things.

As a long-time open source contributor, this trend has been fairly sad because so much of the internet used to run on a community trust model that frankly isn't sustainable. Most of the ways we could combat this are going to directly impact one of the things I used to like the most: people are going to rely more on reputation, which means someone with a contribution from, say, @google.com is going to get their stuff merged faster than someone at @Gmail.com, which I don't like even if I completely understand why that will happen.

March 29, 2024 at 8:31 pm

GolbatsEverywhere

This might have been the worst Linux backdoor in history except that it was caught so soon. An SSH authentication backdoor is surely worse than the Debian weak keys incident and also worse than Heartbleed, the two most notorious Linux security incidents that I can think of. Probably this would have been abused to hack most if not all of the Fortune 500, except Mr. Freund decided to investigate some small performance issue that anybody else would have dismissed as unimportant. We are spared only due to sheer dumb luck. This guy has probably just averted at least billions of dollars worth of damages. Cannot emphasize enough how grateful we should be to him right now.

But who knows how many other Linux packages are backdoored by other malicious upstream software developers. If it can be done to one project, it can be done to others just the same.

P.S. Address sanitizer really does need to be disabled when working with ifuncs, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110442. Maybe valgrind has a similar bug? (Not sure; that's pure speculation.) That could explain why the other developers were not more suspicious of the malicious commits that hid the problems.

March 29, 2024 at 11:25 pm