The Supply Chain RCE That Was Exposed

Important Information

 

  • The xz-utils package in versions 5.6.0 and 5.6.1 contains a malicious backdoor that could potentially allow remote access to SSH sessions for remote code execution (RCE) on certain Linux systems under specific circumstances and configurations.
  • It is recommended that all Linux users verify their xz-utils version is earlier than 5.6.0 and downgrade if necessary, especially if running public sshd. While the direct vulnerability is limited to a small number of systems globally, this may change with further analysis.
  • Evidence suggests a sophisticated, long-term supply chain compromise operation by an advanced threat actor who may have compromised other open-source packages as well.

On March 29, 2024, software engineer Andres Freund reported discovering a backdoor in the liblzma library, part of the xz-utils package. What initially began as an investigation into reduced OpenSSH performance on a pre-release Debian Linux system has escalated into a global security crisis that is still evolving. Fortunately, the backdoor was identified before the tainted library version became widespread, minimizing immediate impact on systems. The larger concern revolves around the creation, concealment, and distribution of the backdoor—and the potential implications for the security of countless systems had it gone undetected.

How the xz-utils Backdoor Emerged

Open-source software is typically obtained in compressed packages known as tarballs, utilizing popular compression tools like Gzip (creating .tar.gz files) or XZ (resulting in .tar.xz files). XZ compression is integral to some programs, necessitating the presence of the xz-utils package in Linux systems.

The xz-utils project was overseen by Lasse Collin until Jia Tan, a persistent contributor, assumed control of the project on GitHub. Jia’s recent commits, purportedly enhancing compression performance in the liblzma library, were incorporated into versions 5.6.0 and 5.6.1 of xz-utils, which harbored the backdoor. However, the focus wasn’t solely on the compression utility—it was a means to a more significant end.

One application reliant on the liblzma library is OpenSSH, specifically in configurations where it interacts with system notifications from systemd (common in Debian Linux). In such scenarios, the functioning of SSH servers depends on liblzma, offering a pathway to compromising remote shell sessions.

The Payload: Malicious Code? Concealed Malicious Code?

Red Hat identified the backdoor as CVE-2024-3094, referring to it as “malicious code” within the package. What sets this vulnerability apart is that the source code itself is clean and secure. Instead, the backdoor is camouflaged in separate “test” files and integrated into the library during compilation. The process involves intricate obfuscation techniques utilizing benign text-processing tools.

Before C or C++ source code can be executed, it must be compiled into a binary file. To simplify this, open-source projects typically include compilation scripts (makefiles) alongside the source code. Jia Tan strategically inserted the malicious code into the downloadable tarball package, evading detection from scanners. Upon compiling the package on a system meeting specific criteria, the build scripts assemble the backdoor into the liblzma library, poised to exploit a particular function call from a remote secure shell session.

If the conditions align, a malicious actor can trigger the backdoor by connecting via SSH to a compromised system and transmitting their encrypted access key. Upon successful activation, this breach could grant unauthorized remote access without undergoing the authentication process.

Consider the ramifications had this exploit not been uncovered, and the tainted versions transitioned from unstable to stable, eventually permeating major Linux distributions worldwide over the coming years. The severity of this CVE’s impact, scoring a perfect 10, is apparent.

The Enigmatic Contributor turned Vanisher

The notion of a project maintainer introducing a backdoor into a widely used open-source project seems inconceivable. Yet, the mysterious Jia Tan, aka JiaT75, orchestrated this intrusion shortly after assuming project control. In the aftermath, the community pieced together Jia’s online activities—revealing a sudden appearance in October 2021.

JiaT75 began contributing to various open-source projects around this time, likely aiming to establish credibility before executing malicious intents. Through involvement in xz-utils, Jia gradually amassed authority, persuading the founder to cede control to foster innovation alongside other eager contributors. Jia then introduced the backdoored elements, orchestrating what Michał Zalewski characterizes as a daring cybersecurity exploit.

While the Jia Tan persona seemingly assumes a Chinese identity, discrepancies emerge, with activity timestamps aligning closely with Central European business hours. Speculations suggest JiaT75 may not be an individual but an advanced threat actor group, possibly linked to APT29 (Cozy Bear). This group’s operational similarities to the SolarWinds Orion hack hint at sophisticated, stealthy tactics. Jia vanished upon the backdoor’s exposure and remains elusive.

Exploiting the Open-Source Reliance

Contrasted with catastrophic breaches, like the MOVEit Transfer incidents, this episode may appear less severe: no known breaches, losses, or extensive impacts. The exploit targeted a niche subset of systems under specific conditions. Nevertheless, the incident underscores grave supply chain security concerns akin to the SolarWinds Orion event.

The attack’s innovation lies in concealing malicious code within auxiliary files packaged with the source, not within the source itself. Jia Tan’s intricate strategy, stealth, and prolonged scheme hint at a formidable threat actor capable of a complex, long-term gamble for extensive RCE reach. Detecting the xz-utils backdoor was fortuitous rather than deliberate, as highlighted by Andres Freund. This emphasizes the vulnerability posed by similar future attempts.

This incident underscores the imperative for robust supply chain security measures amidst dwindling trust and support for fundamental software components. As maintainers face mounting challenges alone, actors like Jia Tan exploit vulnerabilities in the very framework of the digital age. The xz-utils breach serves as a stark reminder that supply chain attacks rank highest among global software security threats. Automation emerges as a crucial defense mechanism due to the proliferation of third-party dependencies, heightening security risks.

Rest assured, we remain vigilant and will update on this unfolding narrative as new developments transpire.