XZ Utils Backdoor Vulnerability: A Cybersecurity Near-Miss

How a Linux open source tool almost became weaponized

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

XZ Utils software supply chain attack highlights open-source vulnerabilities

In a recent supply chain attack, a malicious actor snuck a backdoor into widely used open-source software called XZ Utils. This software is a compression tool used in many Linux systems, including potentially critical servers. The vulnerable tool was fortunately only included in an “experimental” branch of the software. However, it is still so widely distributed that it warranted an urgent advisory alert from Red Hat and CISA.

The vulnerable versions of XZ Utils are 5.6.0 and 5.6.1, according to a CISA announcement. The vulnerability has been given an official designation of CVE-2024-3094.

The attacker, known as Jia Tan (aka Jia Cheong Tan or JiaT75), could have used this backdoor to access those servers and run any code they wanted.

The backdoor would permit remote code execution to any Linux distribution with the tool deployed.

It’s believed that Jia Tan, the attacker, may have carefully planned this attack for a year or more. The attacker’s goal may have been to wait until the vulnerable XZ Utils tool was merged with Debian or Red Hat updates, speculates Ars Technica.

"This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library," software and cryptography engineer Filippo Valsorda said.

What versions of XZ Utils are affected

The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package. The Git distribution lacks the M4 macro that triggers the build of the malicious code.

Red Hat Fedora Linux 40 and Fedora Rawhide Users:

Red Hat announcement: “We have determined that Fedora Linux 40 beta does contain two affected versions of xz libraries - xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm. At this time, Fedora 40 Linux does not appear to be affected by the actual malware exploit, but we encourage all Fedora 40 Linux beta users to revert to 5.4.x versions.”

Red Hat also confirmed that “no versions of Red Hat Enterprise Linux (RHEL) are affected by this CVE.”

“A cybersecurity near-miss”

Andres Freund, a German software developer who works for Microsoft, is credited with discovering the vulnerability purely by accident. Freund noticed anomalous behavior when running performance tests and realized it was isolated to the open-source tool.

Freund subsequently discovered that the tool had been sabotaged by one of its developers.

The damage the infected XZ Utils tool could have caused if globally deployed to all production Debian or Red Hat instances is immeasurable. It could quickly have become a weaponized vulnerability like the SolarWinds attack in 2020.

Satnam Narang, a security researcher with Tenable, characterized the potential cybersecurity disaster as a near-miss. “We really dodged a bullet. It is one of those moments where we have to wipe our brow and say, ‘We were really lucky with this one’.”

This incident highlights the vulnerability of open-source software that relies on a single maintainer. XZ Utils was being maintained by one person – Jia Tan – in since June 2022. Reuters reports that the previous lone tool maintainer, Lasse Collin, had to step down after managing the code in their free time became overwhelming. This allowed Tan to merge his malicious code into the tool slowly.

Software logs show that Tan’s code had merged into production releases of XZ Utils by 2023, showing that Tan had won the trust of leading the tool code development.

Experts say this is a "people problem" more than a technology problem because the vulnerability stemmed from human deception rather than a software flaw.

The discovery by Freund is remarkable, as he admits it “really required a lot of coincidences.”

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our favorite blogs and journalists:

Cybersecurity Podcasts

Do you want to learn about cybersecurity concepts, research, or learn new skills? We’ll share notable new podcasts here.

A lot of great new podcasts have been dropped since our last issue. Topics covering Israeli military cyber units and post-quantum cryptography cyber concerns are a listen away.

Until next time…

Rob Waters
The Breach Report + Cybersecurity Careers Blog

Join the conversation

or to participate.