Recent from talks
XZ Utils backdoor
Knowledge base stats:
Talk channels stats:
Members stats:
XZ Utils backdoor
On 29 March 2024, a malicious backdoor was discovered in the compression software XZ Utils. The backdoor gives an attacker who possesses a specific Ed448 private key the ability to remotely execute code on an affected system through OpenSSH, a set of networking utilities. The backdoor was discovered by software developer Andres Freund.
It was later discovered that the exploit was deliberately included into the software in February 2024 by a user going by the name of "Jia Tan", affecting both version 5.6.0 and 5.6.1. The issue was given the CVE exploit number CVE-2024-3094 and was assigned a CVSS score of 10.0, the highest possible score, indicating that the exploit was extremely severe.
While XZ Utils is commonly present in most Linux distributions, at the time of discovery the affected versions had not yet been widely deployed to production systems, but were present in development versions of major distributions, resulting in distribution maintainers rebuilding their packages to mitigate the exploit. A patch for this backdoor was released on 29 May 2024, with version number 5.6.2. The exploit was noted for its high level of obfuscation, being the result of a campaign lasting years.
Microsoft employee and developer Andres Freund reported the backdoor after investigating a performance regression in a development version of Debian, a Linux distribution. Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind, a memory debugging tool. He reported his finding to Openwall Project's open source security mailing list, which brought it to the attention of various software vendors. Once the compromised version is incorporated into the operating system, it alters the behavior of OpenSSH's SSH server daemon by abusing systemd, allowing an attacker with a specific Ed448 private key to gain administrator access. According to an analysis by Red Hat, the backdoor can allow a malicious actor to gain full access to a system remotely.
The attacker made efforts to obfuscate the code, as the exploit delivery mechanism consists of multiple stages that act together. A subsequent investigation found that the campaign to insert the backdoor into the XZ Utils project was a culmination of over two years of effort, starting in 2021, by a user going by the name "Jia Tan". They used sock puppetry in a pressure campaign against the original maintainer of XZ Utils, eventually being given maintainer permissions on the project. This allowed them to introduce the exploit into version 5.6.0; due to it not being discovered at the time, it also made its way into version 5.6.1. Some of the suspected sock puppets include accounts with usernames like "Jigar Kumar", "krygorin4545", and "misoeater91". It is suspected that the names are pseudonyms chosen by the participants of the campaign. None have any sort of visible public presence in software development beyond the years of the campaign.
The backdoor was notable for its level of sophistication and the perpetrator's high level of operational security for a long period of time while working to attain a position of trust. American security researcher Dave Aitel has suggested that it fits the pattern attributable to APT29, an advanced persistent threat actor believed to be working on behalf of the Russian Foreign Intelligence Service (SVR). Journalist Thomas Claburn suggested that it could be any state actor or a non-state actor with considerable resources.
The malicious code is known to be in versions 5.6.0 and 5.6.1 of the XZ Utils software package. The malicious mechanism consists of two compressed files that contain the malicious binary code. These files are available in the Git repository, but remain dormant unless extracted and injected into the program. The code then replaces an existing function in OpenSSH with a malicious version. Under normal conditions, OpenSSH does not load code related to XZ Utils, as the programs are not related. However, a patch used by several Linux distributions causes OpenSSH to interface with XZ Utils by using Systemd. A modified version of build-to-host.m4, a script used in the program's build process, was included in the release uploaded on GitHub. The modified script extracts another, resulting in code being injected into the program. This modified file was not present in the git repository; it was only available from tar files released by "Jia Tan" separately from Git. The script appears to perform the injection only when the system is being built on an x86-64 Linux system that uses glibc and GCC and is being built via dpkg or rpm.
The US federal Cybersecurity and Infrastructure Security Agency issued a security advisory recommending that affected devices should roll back to a previous uncompromised version. Linux software vendors, including Red Hat, SUSE, and Debian, reverted the affected packages to older versions. GitHub temporarily disabled the mirrors for the project's repository.
Hub AI
XZ Utils backdoor AI simulator
(@XZ Utils backdoor_simulator)
XZ Utils backdoor
On 29 March 2024, a malicious backdoor was discovered in the compression software XZ Utils. The backdoor gives an attacker who possesses a specific Ed448 private key the ability to remotely execute code on an affected system through OpenSSH, a set of networking utilities. The backdoor was discovered by software developer Andres Freund.
It was later discovered that the exploit was deliberately included into the software in February 2024 by a user going by the name of "Jia Tan", affecting both version 5.6.0 and 5.6.1. The issue was given the CVE exploit number CVE-2024-3094 and was assigned a CVSS score of 10.0, the highest possible score, indicating that the exploit was extremely severe.
While XZ Utils is commonly present in most Linux distributions, at the time of discovery the affected versions had not yet been widely deployed to production systems, but were present in development versions of major distributions, resulting in distribution maintainers rebuilding their packages to mitigate the exploit. A patch for this backdoor was released on 29 May 2024, with version number 5.6.2. The exploit was noted for its high level of obfuscation, being the result of a campaign lasting years.
Microsoft employee and developer Andres Freund reported the backdoor after investigating a performance regression in a development version of Debian, a Linux distribution. Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind, a memory debugging tool. He reported his finding to Openwall Project's open source security mailing list, which brought it to the attention of various software vendors. Once the compromised version is incorporated into the operating system, it alters the behavior of OpenSSH's SSH server daemon by abusing systemd, allowing an attacker with a specific Ed448 private key to gain administrator access. According to an analysis by Red Hat, the backdoor can allow a malicious actor to gain full access to a system remotely.
The attacker made efforts to obfuscate the code, as the exploit delivery mechanism consists of multiple stages that act together. A subsequent investigation found that the campaign to insert the backdoor into the XZ Utils project was a culmination of over two years of effort, starting in 2021, by a user going by the name "Jia Tan". They used sock puppetry in a pressure campaign against the original maintainer of XZ Utils, eventually being given maintainer permissions on the project. This allowed them to introduce the exploit into version 5.6.0; due to it not being discovered at the time, it also made its way into version 5.6.1. Some of the suspected sock puppets include accounts with usernames like "Jigar Kumar", "krygorin4545", and "misoeater91". It is suspected that the names are pseudonyms chosen by the participants of the campaign. None have any sort of visible public presence in software development beyond the years of the campaign.
The backdoor was notable for its level of sophistication and the perpetrator's high level of operational security for a long period of time while working to attain a position of trust. American security researcher Dave Aitel has suggested that it fits the pattern attributable to APT29, an advanced persistent threat actor believed to be working on behalf of the Russian Foreign Intelligence Service (SVR). Journalist Thomas Claburn suggested that it could be any state actor or a non-state actor with considerable resources.
The malicious code is known to be in versions 5.6.0 and 5.6.1 of the XZ Utils software package. The malicious mechanism consists of two compressed files that contain the malicious binary code. These files are available in the Git repository, but remain dormant unless extracted and injected into the program. The code then replaces an existing function in OpenSSH with a malicious version. Under normal conditions, OpenSSH does not load code related to XZ Utils, as the programs are not related. However, a patch used by several Linux distributions causes OpenSSH to interface with XZ Utils by using Systemd. A modified version of build-to-host.m4, a script used in the program's build process, was included in the release uploaded on GitHub. The modified script extracts another, resulting in code being injected into the program. This modified file was not present in the git repository; it was only available from tar files released by "Jia Tan" separately from Git. The script appears to perform the injection only when the system is being built on an x86-64 Linux system that uses glibc and GCC and is being built via dpkg or rpm.
The US federal Cybersecurity and Infrastructure Security Agency issued a security advisory recommending that affected devices should roll back to a previous uncompromised version. Linux software vendors, including Red Hat, SUSE, and Debian, reverted the affected packages to older versions. GitHub temporarily disabled the mirrors for the project's repository.
Recent media