From my SANS Security Digest that just arrived:
Malicious Code Founds in xz utils
(March 29 & April 1, 2024)
Both RedHat and the US Cybersecurity and Infrastructure Security Agency (CISA) have warned of embedded malicious code in xz utils data compression library versions 5.6.0 and 5.6.1. CISA recommend downgrading to an unaffected version of the library. Researchers Andres Freund reported the vulnerability to Openwall on Friday, March 29.
Editor's Note
[Ullrich]
Luckily, this can be classified as a win for the good guys. But the danger to the supply chain is real. Not only was the backdoor very unique and sophisticated, but it was supported by a long term social engineering campaign at least as complex as the backdoor itself. Take a minute this week, and send a thank you note to an open source project that made a difference for you this week.
[Honan]
This incident brings strong echoes of the famous Ken Thompson's paper, “Reflections on Trusting Trust”. If you have not read it, I strongly recommend you do.
www.cs.cmu.edu: Reflections on Trusting Trust (PDF)
[Dukes]
This attack would have been highly effective if not for an engineer’s curious mind. Of note is the use of an advanced cryptographic scheme that ensures only they can use the bug for attack – a level of sophistication often found in nation-state backed operations. While the focus will be on the integrity of open-source software, it’s also a reminder for product vendors and the security controls they have in place for software configuration management.
[Murray]
APT class actors have discovered the potential efficiency of the supply-chain. We must hold suppliers accountable for shipping malicious code. Open-Source is an easy target and a big risk. At a minimum, we should require open source contributors to sign their work and include a SBOM for any code that they reuse.
[Frost]
What makes this one different is the sophistication and the targeting. This hidden code only appeared on compilation through an M4 macro and within the test trees. This requires a high degree of understanding of how to manipulate compiled binaries in systems. It appears that this was targeting xz’s use in SSH on specific systems. This would be a very innocuous and hard-to-understand backdoor in one of the most critical and trusted secure protocols that we rely on.
Read more in:
- nvd.nist.gov: CVE-2024-3094 Detail
-
www.openwall.com: backdoor in upstream xz/liblzma leading to ssh server compromise
- access.redhat.com: CVE-2024-3094
-
www.redhat.com: Urgent security alert for Fedora Linux 40 and Fedora Rawhide users
-
www.cisa.gov: Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094
-
www.nextgov.com: CISA sounds alarm on deep-seated vulnerability in Linux tool
- arstechnica.com: What we know about the xz Utils backdoor that almost infected the world
-
www.scmagazine.com: Backdoor in utility commonly used by Linux distros risks SSH compromise
- therecord.media: Malicious backdoor code embedded in popular Linux tool, CISA and Red Hat warn
-
www.theregister.com: Malicious SSH backdoor sneaks into xz, Linux world's data compression library