XZ Backdoor, widespread Linux utility found compromised

A backdoor was discovered hidden in a common Linux utility, and it could have infected millions of devices. So let’s talk about the backdoor found in the XZ compression utility. Here’s what we know about the XZ Utils backdoor that almost infected the world. That might seem like an exaggeration but by the time we’re done talking about this, you’ll see why that’s an accurate way to put it. This backdoor could have provided attackers with a powerful foothold on millions of devices.

XZ Utils is practically ubiquitous in Linux and it provides lossless data compression. XZ Utils provides critical functions for compressing and decompressing data during all sorts of operations. XZ also supports the legacy .lzma format, making this component even more crucial.

Andres Freund (on-drace froind), who is a developer and engineer working at Microsoft was troubleshooting some performance problems his Debian system was experiencing with SSH during some PostgreSQL testing. He noticed that SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.

Unlike the Sudo vulnerability that was found, this backdoor was created on purpose by a bad actor. The backdoor used a sophisticated system of hiding the backdoor within a proverbial Russian doll of scripts and binaries. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Essentially it made it possible for anyone in possession of a predetermined encryption key to put any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. While no one has actually seen anything uploaded, in theory, the code could allow for just about anything.

The attack appears to be the result of a meticulously planned social engineering campaign. The attacker, using the alias JiaT75 started this process in 2022 by posing as a concerned user and leveraging the support of other seemingly new participants who were even using bullying the dev by claiming they weren’t doing a good job and even should be ashamed, the attacker was able to eventually become a maintainer.

With this access, JiaT75 (now using the name Jia Tan) introduced the backdoor in xz Utils versions 5.6.0 and 5.6.1. The backdoor almost reached major Linux distributions like Debian and Red Hat while it did reach some rolling release distros like Kali Linux and even Arch Linux though Arch implements systemd differently so users would likely not be affected but still of course they should update.

  • Andres was not looking for security issues, he just accidentally stumbled upon this during his testing for PostgreSQL.
  • bullying a developer who was close to burnout
  • one person who was maintaining a critical project used by basically everyone

Researchers are still piecing together the details of this attempted attack and we will provide links to details for how it works if you are interested to learn about that.

Share this post