The ‘xz’ Back Door

Dan Goodin, writing for Ars Technica:

The compression utility, known as xz Utils, introduced the malicious code in versions ​​5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions — specifically, in Fedora Rawhide and Debian testing, unstable and experimental distributions. A stable release of Arch Linux is also affected. That distribution, however, isn’t used in production systems. [...]

Several people, including two Ars readers, reported that the multiple apps included in the HomeBrew package manager for macOS rely on the backdoored 5.6.1 version of xz Utils. HomeBrew has now rolled back the utility to version 5.4.6. Maintainers have more details available here.

There are several notable things about this hack. One is that it was years in the making — “Jia Tan”, the developer who added the back door, had been contributing legit patches to the xz project for years. Another is that it was very subtle: the ultimate goal was a back door in OpenSSH but the attacker(s) put their code in a compression library that was sometimes a dependency for another library that was itself only sometimes a dependency of OpenSSH. Yet another is that it seems nearly miraculous that it was discovered — Andres Freund, the Microsoft engineer who uncovered it, only became suspicious when he noticed that his SSH connections initiated from the command line went from taking about 0.2 seconds to 0.7 seconds. It pays to be picky sometimes!

Question 1: How do we keep this from happening again?

Question 2: How do we know similar back doors haven’t been successfully put in place already?

More from Goodin here, including a good overview diagram.

Evan Boehs: “Everything I Know About the XZ Backdoor”.

Friday, 5 April 2024