By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post
What is “open source software”? Basically it is software with a source code anyone can inspect, modify and enhance. Open source is a great way to make your code available to everyone, and a good way to enhance and improve the services it provides.
Linux is one of the most well-known kinds of open source software, used by about 42% of the world. There are many distributions, or “distros” of Linux, such as Red Hat, Debian, Kali, and many more.
In addition to the source code for the actual Linux OS, the source code for many utilities used by Linux is also open source. Last week a lone Microsoft developer shocked the world when he revealed that a back door had been placed into xz Utils. xz Utils is a very common tool present in Linux, it is used for, according to an article by Ars Technica, it provides “lossless data compression on virtually all Unix-like operating systems, including Linux. xz Utils provides critical functions for compressing and decompressing data during all kinds of operations. xz Utils also supports the legacy .lzma format, making this component even more crucial.”
The discovery happened largely by accident by Microsoft Developer, Andres Freund. Freund was troubleshooting SSH errors on a Debian system, SSH logins were taking too much CPU cycles and causing errors. Through luck and Freund’s attentiveness, he realized the errors stemmed from an update to xz Utils. On Friday he took his findings to the Open Source Security List; the updates were the result of someone intentionally planting a backdoor in the utility. This was caught before the updated xz Utils reached most production versions of Linux. Had it remained unknown and been distributed the results could have been catastrophic.
What would the backdoor do? It is complicated, but basically it would have modified the way the code functioned, granting the attacker the ability to do anything, including stealing encryption keys and installing malware.
How did this happen? A developer with the username JiaT75 was playing the long game … they started making small commits, changes, to the xz Utils code back in 2021. There seems to have been some amount of social engineering going on as well, with this JiaT75, now going by the name Jia Tan, joining a mailing list for the util, and submitting a patch. After the submission a previously unheard of member known as Jigar Kumar joined the discussion. Both argued that the xz Utils creator was too slow with maintenance and put pressure on Lasse Collin, the maintainer of the xz Utils, to bring on another developer for the project. Tan took on an increasing amount of responsibility for the project, adding more and more commits. In February of this year commits containing the backdoor code were added.
The code did make it into some distros of Linux:
| DISTRIBUTION | ADVISORY | NOTES |
| Fedora Rawhide | https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users | Fedora Rawhide is the development distribution of Fedora Linux |
| Fedora 41 | https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users | |
| Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1. | https://lists.debian.org/debian-security-announce/2024/msg00057.html | |
| openSUSE Tumbleweed and openSUSE MicroOS | https://news.opensuse.org/2024/03/29/xz-backdoor/ | Backdoored version of xz was included in Tumbleweed and MicroOS between March 7 and March 28 |
| Kali Linux | https://www.kali.org/blog/about-the-xz-backdoor/ | Backdoored version of xz was included in Kali Linux (xz-utils 5.6.0-0.2) between March 26 and March 28 |
Chart from Ars Technica article
CVE tracking designation is CVE-2024-3094. If you are concerned you may have been affected by this, you can use this website from the security firm Binarly to check.
If it had succeeded, this would have been one of the worst supply chain attacks seen yet. What is a supply chain attack? From Wikipedia:
“A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware.”
One recent, well known supply chain attack was SolarWinds; SolarWinds is an information technology monitoring software for networks and infrastructure. Attackers were able to insert malicious code into Orion, the monitoring component of SolarWinds, which was then delivered to SolarWinds customers via a software update. The attack is nicely explained in this article.
As you can imagine, this was very bad. The near miss of the xz Utils would have been even worse. Thankfully it was caught so early that any damage should be seriously minimized.
So pour out a can of Jolt to eagle eyed devs everywhere, helping to keep your software safe, and probably not getting a lot of sleep. Without them the world would be a much darker place.
Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.