Blog

The malicious code planted in xz Utils has been circulating for over a month.

Researchers discovered a malicious backdoor in a compression tool, which infiltrated widely utilized Linux distributions, including those offered by Red Hat and Debian.

According to developer Andres Freund who discovered it, the compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1. While there haven’t been any confirmed instances of these versions being integrated into official production releases of major Linux distributions, both Red Hat and Debian disclosed that recent beta releases, such as Fedora Rawhide and Debian testing, unstable, and experimental distributions, included at least one of the compromised versions. A stable release of Arch Linux is impacted, despite not being employed in production environments.

Will Dormann, a senior vulnerability analyst at security firm Analygence, emphasized in an online interview that since the backdoor was identified before the malicious versions of xz Utils were integrated into production versions of Linux, it has not impacted real-world users. However, Dormann warned that this fortunate discovery was due to the sloppy actions of bad actors. Had the backdoor remained undetected, the consequences could have been catastrophic globally.

Multiple individuals have reported that various applications bundled within the HomeBrew package manager for macOS depend on the backdoor 5.6.1 version of xz Utils. HomeBrew has reverted the utility to version 5.4.6. Further details are provided by the maintainers here.

Targeting SSHD

The initial indications of the backdoor emerged in a February 23 update, as per Red Hat officials in an email. An update the following day included a malicious installation script that inserted itself into functions utilized by SSHD, the essential binary file that makes SSH function. The malicious code has resided only in the archived releases, known as tarballs, which are released upstream. The GIT code available in repositories remains unaffected, although it contains second-stage artifacts enabling the injection during build time. If the obfuscated code from February 23 is present, the artifacts in the GIT version facilitate the operation of the backdoor.

The malicious changes were submitted by JiaT75, who is one of the two principal developers of xz Utils and has made significant contributions to the project over the years.

Considering the activity spanning several weeks, the committer appears to be either directly involved or their system has been severely compromised,” Freund expressed. “Unfortunately, the latter scenario seems less probable, given their engagement in discussions across various lists regarding the recent ‘fixes’ provided.” Links to these updates and fixes are available here, here, here, and here.

Last Thursday, an individual using the developer’s name posted on a developer site for Ubuntu, advocating for the integration of the compromised version 5.6.1 into production releases. The reasoning behind this request was that it addressed bugs causing malfunctions in Valgrind, a known tool. 

The individual cautioned, “This could disrupt build scripts and test pipelines reliant on specific output from Valgrind for successful completion,” from an account created on the same day. 

On Friday, one of the Fedora maintainers mentioned that the same developer had approached them in recent weeks, urging the incorporation of one of the compromised utility versions into Fedora 40, a beta release. 

“The Ubuntu maintainer disclosed, ‘We collaborated with him to resolve the Valgrind issue (without knowing at the time that it was caused by the backdoor he had introduced). He has been actively involved in the xz project for two years, contributing various binary test files, and given this level of sophistication, we maintain suspicion even towards older versions of xz until their integrity is validated.”

Maintainers of xz Utils did not promptly reply to emails requesting clarification.

Researchers noted that the malicious iterations intentionally disrupt authentication processes conducted by SSH, a commonly used protocol for connecting remotely to systems. SSH employs robust encryption to ensure that only authorized individuals access remote systems. The backdoor is designed to enable unauthorized access to the entire system by circumventing authentication mechanisms. This exploit operates by injecting code at a critical stage of the login process.

“I haven’t conducted a detailed analysis of the specific criteria checked by the injected code to enable unauthorized access,” Freund remarked. “Considering it operates in a pre-authentication context, it’s probable that it facilitates some form of access or remote code execution.”

Researchers, who dedicated the weekend to reverse engineering the updates, have determined that the backdoor injected malicious code during SSH operations, instead of bypassing authentication.

In certain instances, the backdoor has failed to operate as intended. For instance, the built environment on Fedora 40 presents incompatibilities that hinder the correct injection process. As a result, Fedora 40 has reverted to using the 5.4.x versions of xz Utils.

Xz Utils is accessible across most, if not all, Linux distributions, although it may not be pre-installed on all of them. Users of Linux are advised to promptly consult their distributor to ascertain if their system is impacted. Freund has supplied a script for identifying vulnerabilities in SSH systems.