The recent revelation of sophisticated malware embedded within the widely-used compression software XZ Utils has sent shockwaves through the open-source community. This software, a fundamental component of all Linux distributions including RedHat and Debian, had long been considered trustworthy, with its development overseen by contributors who volunteered their time. Unfortunately, this incident exposes the persistence of a threat actor who, over years of apparent contributions, had gained the trust necessary to become a custodian of the software. This story underscores the often underappreciated efforts of the open-source community, whose thankless work forms the backbone of many commercial software products. Despite the inherent transparency of open-source code, which theoretically allows for thorough review and auditing, this event reveals a glaring oversight in actual practice. The discovery of the malware came just in time to avert a major
security breach involving SSH connections, marking one of the largest and most sophisticated supply-chain attacks to date, perpetrated by an insider with malicious intent.
Andres Freund, a Microsoft software engineer, stumbled upon this backdoor while conducting routine benchmarking on a Debian-based Linux system. He was debugging 500ms delay in performance and noticed unusually high CPU usage attributed to XZ Utils during SSH processes, prompting further investigation, according to this post. What he uncovered was alarming: XZ Utils had the capability to inject unauthorized code into Linux installations, enabling surveillance of users’ computers and execution of additional malicious scripts. Although this compromised version of XZ Utils (versions 5.6.0 and 5.6.1.) had not made its way into stable Linux releases, it was present in the beta versions of Red Hat Fedora 40 and Fedora Rawhide, as well as experimental Debian distributions.
The malicious code, cleverly obfuscated and equipped with anti-debugging and reverse-engineering features, utilized a convoluted process during compilation to alter critical functions within the liblzma codebase. This tampering compromised the liblzma library, impacting OpenSSH when integrated with system notification mechanisms. Given that certain Linux distributions rely on this library for SSH functionality, they were potentially vulnerable to remote code execution, a vulnerability designated as CVE-2024-3094, it has the highest possible
CVSS score of 10. Ongoing research aims to uncover the full extent of the threat posed by this backdoor. Find more details on this here.