Linux, the widely used open-source operating system, narrowly escaped a high risk cyber attack over the weekend, thanks to one volunteer. The attack targeted a recent release of XZ Utils, a tool used in nearly every Linux distribution to compress large files, making them easier to transfer. It’s important to mention that XZ utils is not within distribution of common Linux but in Debian, Fedora, Ubuntu and more – to see the full list of vulnerable operation system, see the table at the end.
Discovering of Linux Backdoor
Andres Freund, a Microsoft developer and PostgreSQL maintainer, discovered the backdoor in the XZ compression library. He noticed SSHD process, running at the background of his linux os operation, while doing his micro benchmarking at that time. He noticed a process that were using up a 1GB of CPU, leading to his suspicion of a backdoor malicious script running in the background, The script attempted to insert binaries files into the “tests” folder while running the configuration process of the utility XZ, however the backdoor script is a small script which allow potential attacker to use the backdoor and insert whatever malicouse script they want at later stage. That backdoor was injected into a 3rd party library that XZ util relay on called “liblzma”. After some investigation, it was found as a malicious code in versions 5.6.0 and 5.6.1 of the xz tools and libraries.
The backdoor was cleverly hidden, exposing itself only to a single key, making it difficult to detect in public scans. If it had spread more widely, countless systems could have been compromised for years. Red Hat and Debian acted swiftly to revert compromised packages, ensuring minimal impact.
The attacker, known as JiaT75, had been working on the project openly. They started by sending legitimate patches in October 2021 but later resorted to using fake identities to gain access to the project’s core.
This incident underscores the importance of cybersecurity in open-source projects. It also highlights the need for greater support for volunteers who play a crucial role in maintaining the security and integrity of software that millions rely on.
Linux Vulnerability Backdoor Technicality
When the library is loaded to the memory, as part of initialization process of “sshd” which responsible for remote acess to linux systems (some of you engineers or cyber security probably have used ssh to access a remote cloud server/machine/ec2), The malicious code replaced 2 functions called crc64_resolve() and crc32_resolve() that use the functionality of “IFUNC” inside “glibc” which inherently allow software engineer (in other normal use cases) to change existing functions behaviour which in most cases is acceptable but in this case was used to insert a backdoor script. In the above functions the malicious code perform few checks like compiler of GCC is running and the architecture of x86_64 is present and only afterwards the code replacing “RSA_public_decrypt” with a malicious code. To that the attacker adds a process with encrypted msg that allow only the attacker to by pass security encryption safety checks and allow only the attacker to remotely add any malicious code they want.
Linux Vulnerability to Backdoor
XZ utils is not used with linux basic distribution, however most linux distribution do use XZ utils and may be vulnerable to that backdoor recently discovered.
| Distribution | Description |
|---|---|
| Ubuntu | Popular desktop and server Linux distribution |
| Fedora | Community-driven Linux distribution sponsored by Red Hat |
| Debian | Stable and versatile Linux distribution |
| Arch Linux | Lightweight and flexible Linux distribution |
| CentOS | Free and open-source Linux distribution derived from RHEL |
| openSUSE | User-friendly Linux distribution |
| Slackware | Oldest surviving Linux distribution |
| Gentoo | Highly customizable and performance-optimized distribution |
Who Behind Linux 2024 backdoor
During 2021 a new member that support open source projects join the community of XZ utility and essentially over time added new code to the project, The main volunteer of XZ utility Larhzu provided over time more access and more trust to Jin Tan and with the prussure of other members of the open source community Larhzu allow Jin Tan to release patches to XZ utility which after 2 years of work provided himself with a full scale work of creating backdoor to linux os systems. This full scale work aspart of a very distance and long and far from the source or the end user vulnerability is described as a “Supply Chain Attacks“, which means that a single weak links within a long security chain will break and cause problems. Due to the heavy work of the backdoor vulnerability linux systems like “valgrind” that track memory usage crush and stop to work, which forced Jia Tan to write more code to prevent crushes of such systems.
Such efforts which goes over years of works and backbone support could be operated by individuals but also by companies, states and government employees working in cyber attack teams. Protection from those future attacks can be achive with soc2 compliance, ISO standards, controls, regulations, hiring the relevant roles etc. as much as we all enjoy open source projects with and without our knowledge it’s important to remember that we need to support those volunteers and individuals who provide their time for open source projects, knowledge about security, information about code, patches and more for better safe and secure internat.
I am a software engineer with 20 years of experience of writing code, Software languages, Large scale web application, security and data protection of online digital assets in various software systems and services. I’ve decided to write and share my interests in cyber security online and information security to help and improve white hat security, safety and privacy of our online digital assets, As companies, as individuals or experts providing services. In here you’ll be able to read freely about cyber security threats, detections, common problems, services, news and everything related to information security and cyber security – enjoy and feel free to contact me via the contact page for any question.