Backdoor Discovered in Widely Used Linux Utility
Introduction
Researchers have recently uncovered a malicious backdoor in a popular compression tool that has been incorporated into various Linux distributions, including those provided by Red Hat and Debian. This alarming discovery has raised concerns regarding potential security breaches and unauthorized access on affected systems.
Malicious Code in Linux Distributions
The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1, as reported by developer Andres Freund. Although it has been confirmed that major Linux distributions have not incorporated these versions into their production releases, beta releases of Red Hat’s Fedora 40 and Fedora Rawhide, as well as Debian’s testing, unstable, and experimental distributions have been affected. Additionally, the stable release of Arch Linux has also been found to be impacted. However, it is important to note that Arch Linux is not commonly used in production systems.
In terms of the potential impact, security analyst Will Dormann from security firm ANALYGENCE clarified that the backdoor isn’t currently affecting users as it was discovered early. Otherwise, the consequences could have been catastrophic.
Backdoor’s Impact on HomeBrew for macOS
To our surprise, it has come to light that a number of apps included in the HomeBrew package manager for macOS have been relying on the backdoored 5.6.1 version of xz Utils. These affected apps include aom, cairo, ffmpeg, gcc, glib, harfbuzz, jpeg-xl, leptonica, libarchive, libtiff, little-cms2, numpy, openblas, openjpeg, openvino, pango, [email protected], [email protected], tesseract, webp, yt-dlp, and zstd. However, HomeBrew has promptly rectified the issue by rolling back the utility to version 5.4.6.
Breaking SSH Authentication
The earliest indications of the backdoor were detected through a February 23 update, which surreptitiously added obfuscated code. Subsequent updates included a malicious install script that infiltrated the functions utilized by sshd, the binary file essential for SSH functionality. It is important to note that the malicious code has solely resided in the archived tarball releases, as the GIT code available in the repositories remains unaffected. However, the GIT code does contain second-stage artifacts that permit the injection of the backdoor during the build time. If the code added on February 23 is present, the artifacts in the GIT version enable the backdoor to operate accordingly.
Identifying the Culprit
The malicious changes were attributed to a developer named JiaT75, who is one of the primary contributors to the xz Utils project. The evaluation of activity that transpired over several weeks leads observers to conclude that the developer was either directly involved in the malicious acts or that their system was severely compromised. Meanwhile, the lower likelihood of system compromise is supported by the fact that the developer participated in discussions regarding the ‘fixes’ present in recent updates, as highlighted here, here, here, and here.
Suspicious Behavior
It has come to our attention that an individual using the developer’s name took to the developer site for Ubuntu to request the inclusion of the backdoored version 5.6.1 in production versions. The false claim made was that the version contained fixes for compatibility issues causing Valgrind, a widely used debugging and profiling tool, to malfunction. This attacker-created user account further raises suspicions and clarifies the malicious intent behind the request.
The Ubuntu maintainer further revealed that the same developer had approached their team in recent weeks with a similar request for Fedora 40, a beta release of the system. Their cooperation with the developer to address a Valgrind-related problem had inadvertently ensured the propagation of the backdoor. This situation underlines the sophistication and determination of the individual behind the malicious code.
Exploiting SSH Authentication
The malicious versions of xz Utils have deliberately targeted the authentication process implemented by SSH, a commonly utilized protocol for remote system connections. SSH provides robust encryption measures to restrict access to authorized entities only. Intruders exploiting the backdoor aim to compromise the authentication mechanisms, gaining unauthorized access to the entire system. Injection of the code occurs during a critical phase of the login process, facilitating potential remote code execution or unauthorized system entry.
In certain instances, the backdoor has demonstrated an inability to function as intended. For instance, compatibility issues within the build environment of Fedora 40 prevent the backdoor from successfully injecting the code. Fedora 40 has, therefore, reverted to using the 5.4.x versions of xz Utils as a precautionary measure.
Take Immediate Action
It is imperative for all Linux users to verify if their systems are compromised, as xz Utils is generally available for most distributions. System security can be ensured by promptly contacting respective distributors. Security analyst Andres Freund has provided a script capable of detecting whether an SSH system is vulnerable.
