xz utils backdoor history
What does the backdoor do?
Malicious code added to xz Utils versions 5.6.0 and 5.6.1 changed the behavior of the software. The backdoor handles sshd, an executable file used to establish remote SSH connections. Anyone with a given encryption key can hide any code they choose in the SSH login certificate, download it, and run it on the backdoor device. No one has seen the downloaded code, so it is not known what code the attacker intended to execute. In theory, the code could allow almost anything, including stealing encryption keys or installing malware.
Wait, how can a compression tool handle a security aid like SSH?
Any library can break internal functions. of any executable to which it is linked. Often, the developer of the executable creates a link to the library that is necessary for it to function properly. The most popular sshd implementation, OpenSSH, does not link the liblzma library, but Debian and many other Linux distributions add a patch to link sshd with systemd, which loads various services during system startup. The system in turn links to liblzma and that allows xz Utils to manage sshd.
How did this backdoor happen?
It seems this backdoor has been around for years. In 2021, someone with the username JiaT75 made his first known commitment to an open source project. In retrospect, the change in the library project is suspect because it replaced the safe_fprint function with a version that has long been recognized as less secure. No one noticed at the time.
The following year, JiaT75 posted the patch to the xz Utils mailing list, and almost immediately, an unprecedented contributor, Jigar Kumar, joined the discussion, claiming that xz’s long-time maintainer, Lasse Collin Utils, had not updated the software frequently or fairly quickly. Kumar, with the support of Dennis Ens and several others on the list, pressured Collin to bring in a new developer to maintain the project.
In January 2023, JiaT75 made his first commitment to xz Utils. In the following months, JiaT75, who went by the name Jia Tan, became increasingly involved in xz Utils affairs. For example, Tan replaced Collins’ contact information with his own oss-fuzz project, which looks for vulnerabilities in open source software. Tan also requested that oss-fuzz disable ifunc during testing. The change prevented the detection of malicious changes that Tan will soon make to xz Utils.
In February of this year, Tan released security patches for versions 5.6.0 and 5.6.1 / xz Utils. Updates implemented a backdoor. Over the next few weeks, Tan or others contacted Ubuntu, Red Hat, and Debian developers to integrate the updates into their operating systems. Finally, according to security firm Tenable, one of the two updates went to the following releases:.
- Fedora Rawhide: Urgent Security Alert - Fedora 41 and Rawhide Users
- Fedora 41: Urgent Security Alert - Fedora 41 and Rawhide Users
- Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.: Debian Security Announce
- openSUSE Tumbleweed and openSUSE MicroOS: XZ Backdoor (Backdoored version of xz was included in Tumbleweed and MicroOS between March 7 and March 28)
- Kali Linux: About the XZ Backdoor (Backdoored version of xz was included in Kali Linux (xz-utils 5.6.0-0.2) between March 26 and March 28)
How this backdoor works?
In short, it allows someone with the right private key to hijack sshd, the executable responsible for establishing SSH connections, and execute malicious commands from there. The backdoor is done with a five-stage loader that uses several simple but clever tricks to hide itself. It also provides a means to deliver new payloads without major modifications.
What else do we know about Jia Tan?
Very little at this point, especially for those entrusted with monitoring software as ubiquitous and sensitive as xz Utils. This developer personality has touched dozens of other open source programs in recent years. It is currently unknown if there was ever a real person behind this username or if Jia Tan is a completely fictitious person.