The XZ Utils Backdoor vulnerability has shaken up the engineering and cybersecurity industry due to the sophistication and stealthiness of the (potential) attack, as well as the breach of trust of OSS community unspoken standards. In this blog post, we analyze the technical details of the vulnerability, explain who is behind it, and most importantly - provide you with information if you are protected and how to ensure you are not affected by similar attacks.
Findings
Last weekend, a Microsoft software engineer named Andres Freund investigated slow SSH logins on a Linux box running Debian Sid. To his surprise, he found a backdoor in the XZ utility Utils, a popular data compression tool used across many Linux distributions. Red Hat, followed by CISA, immediately issued a warning urging users to halt the use of Fedora 41 and Fedora Rawhide instances due to the backdoor found in the latest versions (5.6.0 and 5.6.1) of XZ Utils. The issue was also identified under CVE-2024-3094, with the highest possible CVSS score of 10/10.
The backdoor mechanism involved two compressed test files containing malicious binary code, injected into the program under specific conditions. The exploit targeted the liblzma code, compromising SSH server security and potentially allowing unauthorized system access.
The issue originated from malicious modifications made to the GitHub tar files of XZ Utils by a contributor known as "JiaT75”. These modifications have been deliberately omitted from the GitHub repository, a tactic likely aimed at evading detection. Instead, its components were integrated into the source code distributions for tarball releases. In that way, the backdoor remained under cover, but could still be compiled through dependencies.
Among affected systems and distributions are Debian, Fedora Rawhide, Kali Linux, OpenSUSE Tumbleweed, and others. However, most stable release distributions were not affected as they did not use the compromised XZ Utils versions.
To that day, there is no evidence of in the wild exploitation of the vulnerability.
Who is Jia Tan?
Jia Tan (using the GitHub nickname JiaT75) was a relatively recent addition to the XZ Utils project, starting contributions around two to two and a half years prior to the discovery of the backdoor. He gained commit access and was later promoted to release manager rights approximately one and a half years ago. His account was removed a few days ago, shortly after the backdoor discovery.
Investigations into Jia Tan's background has led to speculations about his origins, possibly linking him to Singapore, Hong Kong, or mainland China (this was inferred from a Singaporean VPN IP he used or from surnames like “Cheong” and “Jia”).In any case, and despite the ambiguity still surrounding his true identity, both the sophistication and resources behind the efforts strongly suggest the involvement of a state actor. An actual person named Jia Tan is possibly inexistant, as the name might be a cover for a wide-scale operation backed by a state actor.
What can we do?
To protect yourself against similar threats, follow these steps:
- Make sure you can detect new vulnerabilities based on dynamic SBOM analysis, as you may want to locate them before CVE IDs are assigned.
- Evaluate OSS libraries with SCA tools to ensure you are not committing compromised or vulnerable code into your source code.
- Determine the exploitability of your systems by understanding which processes are used in runtime and can be compromised and which asset are internet-exposed, so you can prioritize patching and asset management.
- Check whether your security controls are configured in a way that protects you against the vulnerability and make sure you are implementing the relevant security measures to mitigate the risk posed by the backdoor.
This layered approach recipe, at the core of Zafran platform, ensures both proactive and reactive defenses are optimized to confront sophisticated cyber threats effectively.
Learn more about how Zafran can help. Click here for a demo.