Threat Response - Backdoor in xz utils

On Friday, March 29th, 2024, a backdoor was discovered in the the xz utils package used by many Linux distributions, specifically in the liblzma library. Because of the way the backdoor was incorporated in the project, and the large user base of xz utils, we expect significant media attention within the tech and security communities. NCSC classifies this vulnerability as High/High [1]. With this message we want to help you make an informed decision about your risk.

Description

On Friday, news broke that a backdoor in the liblzma library was found. Liblzma is used for compression by many Linux utilities, and is part of the xz utils package. The backdoor consisted of a malicious addition to the install script that backdoored the sshd process, to bypass authentication, giving an attacker direct access to a shell [2]. The backdoor was added on February 23 by one of the two maintainers of the xz utils package, who had been active with the project for two years, and it is believed this was on purpose rather than through a compromised workstation. The backdoor made its way into the following upstream versions of xz utils:

• 5.6.0
• 5.6.1

However, these upstream versions had not yet been included into the production versions of any Linux distribution at the time of discovery, only in experimental and unstable release trains. 

The presence of this backdoor calls into question all the previous additions by this developer, since they had enough access to the xz utils project to push commits on behalf of other developers as well. Their previous contributions are now being scrutinised, and this discovery may lead to more scrutiny in other projects as well. Nothing is known yet about the intentions or affiliations of the developer.

Impact

We estimate the impact of this backdoor as HIGH because it gives unfettered root access to an attacker with little to no complexity or limitations.

Risk

We estimate the risk level of this vulnerability as LOW since the affected versions of xz utils did not make their way into production versions of Linux distributions.

Mitigation

For systems running a backdoored version of xz utils, the current mitigation is to downgrade to an older version.

What should you do?

If you make use of Linux, check your xz utils version to see if it contains this backdoor. If you use Debian, Redhat or openSUSE, you may be affected if you are on a testing/experimental/unstable release train, otherwise you should be fine [2] [3]. If you run an affected version, downgrade to an older version as soon as possible and perform forensic investigation on the affected system(s). Our CERT can assist you if desired. In the broader sense, it is wise to be prepared for supply chain risk issues like this one by having a central inventory of software used, so that you can quickly assess your exposure.

What will Northwave do?

We monitor the developments around this story. Given the brazenness of the action and the attention this gets in the open source community, knock-on effects might take place like other projects making similar discoveries or other contributions by the same person containing backdoors as well. If any developments occur that are significant to your risk, we will inform you through an update to this TR.

Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000

Disclaimer applies, see below.

Sources

[1]: https://advisories.ncsc.nl/advisory?id=NCSC-2024-0140

[2]: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

[3]: https://lists.debian.org/debian-security-announce/2024/msg00057.html

Disclaimer