Linux, the world’s most widely used open source operating system, narrowly escaped a major cyberattack over the Easter weekend. This is all thanks to one volunteer.
This backdoor was inserted into a recent release of a Linux compression format called XZ Utils. This tool is little known outside of the Linux world, but it is used by nearly all Linux distributions to compress large files and make them easier to transfer. If this had been more widespread, countless systems could have remained compromised for years.
and as ars technica It is pointed out therein thorough summaryThe perpetrator was working on a project in public.
This vulnerability, built into Linux remote login, exposes only a single key and can hide from scans of public computers.as Written by Ben Thompson strategy. “The vast majority of the world’s computers will be vulnerable and no one will notice.”
The story of the discovery of the XZ backdoor begins in the early morning hours of March 29th, as posted on Mastodon by San Francisco-based Microsoft developer Andres Freund. email sent I posted to the OpenWall security mailing list with the heading “Upstream xz/liblzma backdoor leads to ssh server compromise.”
Freund, who volunteers as a “maintainer” for PostgreSQL, a Linux-based database, noticed some strange things while running tests over the past few weeks. His encrypted login to liblzma, which is part of the XZ compression library, was consuming a large amount of his CPU. None of the performance tools he used revealed anything, Freund writes about Mastodon. Hearing this made him immediately suspicious, and a few weeks ago he remembered a “weird complaint” he received from Postgres users about Valgrind, his Linux program for checking memory errors. .
After some investigation, Freund finally discovered what was wrong. “Upstream, the xz repository and xz tarball are backdoored,” Freund pointed out in an email. The malicious code was included in versions 5.6.0 and 5.6.1 of the xz tools and libraries.
Shortly after, enterprise open source software company Red Hat emergency security alert Ultimately, the company concluded that the beta version of Fedora Linux 40 contains two versions of the affected xz library. The Fedora Rawhide version may also have received version 5.6.0 or 5.6.1.
Immediately stop using your FEDORA RAWHIDE instance for work or personal activities. Fedora Rawhide will be reverted to xz-5.4.x soon, and once that is complete, you will be able to safely redeploy your Fedora Rawhide instances.
A beta version of Debian, a free Linux distribution, contained a compromised package, but its security team acted quickly put them back together. “No stable versions of Debian are known to be affected at this time,” Debian chief Salvatore Bonaccorso said in a security alert to users Friday night.
Freund later identified the person who submitted the malicious code as one of the two main xz Utils developers known as JiaT75 or Jia Tan. “Given the weeks of activity, either the committers were directly involved, or there was a pretty serious breach of the system. It’s unfortunate that they’re going back and forth about the above ‘fixes’ on various lists.” “The latter explanation seems unlikely,” Freund wrote in his book. analysisAfter linking some workarounds created by JiaT75.
JiaT75 is a well-known name, having worked for some time in collaboration with Lasse Collin, the original developer of the .xz file format. As programmer Russ Cox pointed out in his book, TimelineJiaT75 started by sending an apparently legitimate patch to the XZ mailing list in October 2021.
A few months later, two other people, Jigar Kumar and Dennis Enns, revealed other parts of the plan. I started sending complaints emails. I told Collin about the bug and the slow development of the project. However, as noted in the report, Evan Bose Elsewhere, “Kumar” and “Ens” have never been seen outside of the XZ community, and law enforcement authorities say both are fakes that existed solely to help Jia Tan get into position to deliver backdoor code. We believe that this is the case.
“I’m sorry to hear about your mental health issues, but it’s important to be aware of your own limitations. We understand that this is a hobby project for all contributors, but the community has much more to offer. “We want a new maintainer,” Ens wrote in one message, and Kumar said in another that “progress will not happen until we have a new maintainer.”
Amid these exchanges, Collins wrote: “I have not lost interest, but my ability to care is severely limited, primarily due to long-term mental health issues, but also other issues.” , suggested that Jia Tan would do the following. About a bigger role. “It’s also good to keep in mind that this is a free hobby project,” he concluded. Emails from “Kumar” and “Ens” revealed that later that year he tried to get Tan added as a maintainer, make changes, and backdoor his packages into Linux distributions with more privileges. It lasted until
xz The backdoor incident and its aftermath are examples of both the beauty of open source and the glaring vulnerabilities of the Internet’s infrastructure.
The developers of FFmpeg, a popular open source media package, highlighted this issue Tweet“The XZ debacle showed that relying on unpaid volunteers can cause big problems. Multi-trillion dollar companies count on free and emergency help from volunteers. ” And they came with a receipt, pointing out how they had addressed a “high priority” bug affecting Microsoft Teams.
Even though Microsoft relies on its own software, the developer writes: “After politely requesting a support contract from Microsoft for long-term maintenance, they instead offered a one-time payment of a few thousand dollars…The investment in maintenance and sustainability was unattractive, and perhaps middle management It won’t get you promoted, but it will pay off thousands of times over the years.”
Details of who is behind JiaT75, how it carried out its plan, and the scope of the damage are being revealed by an army of developers and cybersecurity experts on both social media and online forums. . But it does so without direct financial support from the many companies and organizations that benefit from having secure software available.
