“The sophisticated nature of this attack and the use of highly future-proof crypto algorithms (Ed448 vs the more standard Ed25519) led many to believe that the attack may be a nation-state level cyberattack,” researchers from security firm JFrog noted in an analysis.
Who is affected by the XZ Utils backdoor?
The backdoor is present in versions 5.6.0 and 5.6.1 of xz-utils and particularly in the .deb and .rpm packages distributed as part of certain Linux distributions, including the following: Fedora 40 and 41 Rawhide (active development); Debian testing, unstable (sid) and experimental; Alpine Edge (active development); openSUSE Tumbleweed; as well as Kali Linux and Arch Linux which follow a rolling release or update model where non-security updates to applications and packages are released continuously as they become available instead of on a planned basis as part of major OS upgrades.
Users should refer to the guidance put out by their Linux distribution maintainers in their respective advisories. In some cases, it might be recommended to completely reinstall the operating system because it’s hard to know if the backdoor was actively exploited or whether malicious commands were executed on the system as a result and what those commands did.
How was the backdoor added?
XZ-Utils dates back to 2009 and was created by a developer named Lasse Collin who is known as Larhzu on GitHub. He also served as the sole maintainer of the project until around 2023 when another developer who identified as Jia Tan (JiaT75) received commit permissions and was added as a second maintainer. It is Jia Tan’s account that introduced the malicious code and signed the backdoored tarballs for versions 5.6.0 and 5.6.1.
While there’s a theoretical possibility that Jia Tan’s account was compromised, mounting evidence suggests that it’s more likely this is a fake identity and part of a well-planned and executed years-long software supply chain campaign.
The JiaT75 account was created on GitHub in 2021 and started making contributions to multiple projects and submissions that are now being scrutinized and in retrospect look very suspicious. For example, a patch he submitted to the libarchive repository in 2021 replaced a safe function safe_fprintf() with the unsafe version fprintf() in the code, potentially introducing a character escape vulnerability. The issue is currently being investigated.
In February 2022, JiaT75 submitted a patch to XZ-Utils which received comments from never-before-seen accounts complaining that XZ-Utils is not maintained well enough and could use more developers. These could have been sockpuppet accounts created for the purpose of legitimizing Jia’s contributions and pressuring Collin into giving him commit rights.
Groundwork for backdoor was laid in early 2023
Starting in January 2023, Jia Tan started being more involved in the XZ-Utils project and over the course of the year made various contributions, some of which seem to have laid the groundwork for the backdoor and were aimed at gaining more trust. Eventually, he received direct commit permissions and took over some management of parts of the project.
He also made a pull request to oss-fuzz, a project that automatically performs fuzz testing on XZ Utils and many other open-source projects, with the intention of disabling fuzz testing for ifunc, a feature added to XZ and which was leveraged by the backdoor. It’s now believed this was clearly meant to prevent OSS Fuzz from potentially detecting any subsequent malicious code in XZ that leveraged ifunc.
The actual code that makes up this backdoor was added by Jia over the course of several days in February this year, culminating with the release of the backdoored version 5.6.0 on Feb 24th. Then he submitted the new version for inclusion in various Linux distributions.
In an update on his personal website following this incident, Collin wrote: “Only I have had access to the main tukaani.org website, git.tukaani.org repositories, and related files. Jia Tan only had access to things hosted on GitHub, including xz.tukaani.org subdomain (and only that subdomain).”
Based on the community’s findings so far, this appears to be a well-planned attack, possibly a campaign to target many open-source projects, that spanned multiple years and was patiently executed by a sophisticated threat actor.
Similar compromises could be lurking in other projects
The concern is that such compromises could easily happen again or might have already happened in other projects and have yet to be discovered because unfortunately many open-source tools and libraries suffer from a shortage of volunteers and often have a single maintainer. This makes them more susceptible to trusting and accepting work from new people who show an interest in helping those projects.
“Situations like this remind us all that we need to remain vigilant within the open source software ecosystem,” the Open Source Security Foundation (OpenSSF) said in a statement on its website.
“Open source is about well-intentioned humans donating their time and talents to help solve problems, and sadly this can be compromised. As we all learn more details about the anatomy of this attack and the upstream and downstream response, it will give us time to reflect upon how we all can do more to secure open-source software and help maintainers and consumers alike.”