(Urgent!) Potential Backdoor in a Compression Package used in Linux Distributions [CVE-2024-3094]

A critical security vulnerability [*CVE-2024-3094]* has been discovered in
XZ Utils versions *XZ 5.6.0* (released Feb. 24) and *XZ 5.6.1* (released
March 9). This backdoor could potentially allow a malicious actor to
compromise sshd authentication, granting unauthorised access to the entire
system remotely. Andres Freund, a security researcher working as a
PostgreSQL developer at Microsoft discovered the vulnerability and reported
it to OpenWall on March 29, 2024.

The XZ Utils is a FOSS software suite that provides tools for data
compression and decompression. It is commonly used due to its high
compression ratio and efficiency. It also contains the liblzma library,
which developers can integrate into their applications. XZ utils is widely
used in the FOSS, especially in many Linux distributions hence, the
vulnerability threatens the entire Linux ecosystem. As a result, Red Hat,
Inc. has issued it a *CVSS Score of 10*, the highest possible score for any
vulnerability. Specifically, the backdoor:

– Can allow an attacker to access the system from anywhere.
– Doesn’t require any privileges to exploit.
– Works silently without requiring user interaction.
– Can allow the attacker to change objects outside the affected
component.
– Can affect the confidentiality, integrity, and availability of the
entire system.

The Open source community and government agencies are monitoring the issue
and will provide advice as investigations continue. So far it has been
confirmed that testing, unstable, and experimental distros of *Fedora 41,
Fedora Rawhide, and Debian *contain the vulnerable XZ versions. It was also
included in *Tumbleweed and MicroOS distros of openSUSE*. Users of these
Linux systems are advised to check the version of XZ Utils installed and
immediately update their systems using the advisory provided by their
distribution’s website.

Several artifacts of a stable release of *Arch Linux* (NOT used in
production systems) are also affected. These mirrors have been removed and
users are advised to update to the latest version. In addition, a technical
steering committee member for Homebrew confirmed that they downgraded the
untrustworthy versions of XZ 5.6x. *Homebrew* is an open-source package
manager that *installs* *UNIX tools for macOS systems*. Further information
about *CVE-2024-3094* can be found on the following websites:

1. National Institute of Standards and Technology’s National
Vulnerability Database <nvd.nist.gov/vuln/detail/CVE-2024-3094>
2. The US Cybersecurity and Infrastructure Security Agency
<www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094>
3. Red Hat
<www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users>
4. Kali Linux <www.kali.org/blog/about-the-xz-backdoor/>
5. Openwall <www.openwall.com/lists/oss-security/2024/03/29/4>
6. Arch Linux
<archlinux.org/news/the-xz-package-has-been-backdoored/>
7. OpenSUSE <news.opensuse.org/2024/03/29/xz-backdoor/>
8. Tenable gives a summary of the affected systems
<www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils#:~:text=Bo%20Anderson%2C%20a%20member%20of,downgrades%20%E2%80%9Cas%20a%20precaution.%E2%80%9D>

*On a more interesting note*, I did some digging and here is what I have so
far: Andres <mastodon.social/@AndresFreundTec> is one of the
leading contributors to the Postgres community. He was testing a Debian
unstable release for possible portability problems with Postgres when he
noticed a series of coincidences including a 500ms latency on many failed
sshd processes using wrong usernames. He then discovered the liblzma
package was the one draining the CPU. He also recalled seeing an odd
complaint a few weeks before in automated testing of Postgres using a Linux
tool called Valgrind. Upon further investigation, Adres realised that the
XZ repository and the XZ tarballs had been backdoored.

What is concerning is that the compromise was not injected into released
Debian packages but was introduced by a community maintainer of the XZ
package through the source code uploaded to the GitHub repository. The
Github commits were performed over several weeks by the account ‘Jia Tan
<github.com/JiaT75>’ whose owner remains unknown. However, it was
created in 2021 and made its first commit to the XZ repository on
2022/02/06. They have made changes to XZ between 2022 and 2024 and the most
recent commit was on 2024/03/09.

Alone, these commits may not be suspicious, however, Jia Tan’s changes are
what caused the Valgrind errors in configurations that didn’t meet the
updated code’s expectations. Several conversations emerged in different
open-source communities about what could be causing the valgrind errors and
possible solutions. The persona Jia Tan participated in these conversations
and claimed that the errors were due to versions of XZ earlier than 5.6x.
They then contacted Fedora to push for an update of XZ to 5.6x versions in
stable distributions of Linux and continued to push for this update in
other open-source communities. There are also messages from other anonymous
accounts pushing for the original XZ maintainer to add a new maintainer
right after Jia Tan started helping with the project.

This high-interest vulnerability will spark conversations about the
integrity of Free and Open Source Software, especially for critical
libraries like XZ. I am keen to follow the discussion and will compile a
timeline of the attack to update interested listeners.

Regards,

Jacinta Wothaya