3 min read

SSH backdoor via liblzma / xz

A fascinating sequence of events around an SSH backdoor that had been slipped into XZ utils by someone who had been contributing to the project for 2 years, gaining trust. It was discovered by Andres Freund after he noticed an extra 500ms of latency on his SSH connections and he did some digging. Incredible detective work here.

Click the image for the link to the post.

More details here.

The impact of this could have been massive, and the interesting part is how the change made it into the library and was in the process of being included in many major Linux distributions.

Click the image for the link to the post.

A pull request that was part of the attempt to hide the backdoor:

xz: Disable ifunc to fix Issue 60259. by JiaT75 · Pull Request #10667 · google/oss-fuzz
Indirect function support was added to xz on machines that support it for function dispatching. ifunc is not compatible with -fsanitize=address, so this should be disabled for fuzzing builds.

The author of the backdoor has been now subsequently investigated by many across the internet and have found a lot of interesting information about their patterns of work.

Below is a good summary of the timeline of events.

Everything I know about the XZ backdoor
Please note: This is being updated in real time. The intent is to make sense of lots of simultaneous discoveries

There's strong speculation that this was a state actor, and had this supply chain attack been successfully pulled off, the impact could have been pretty significant.

A twist on an XKCD classic

Another important point made by Rob Mensching:

The original maintainer burns out, and only the attacker offers to help (so the attacker inherits the trust of the project built by the maintainer).
A Microcosm of the interactions in Open Source projects
Originally a thread on Twitter about the xz/liblzma vulnerability, when I finished typing it, I realized I had a real world slice of Open Source interaction that deserved more attention.
Backdoor found in widely used Linux utility breaks encrypted SSH connections
Malicious code planted in xz Utils has been circulating for more than a month.

Overall, we seem to have got pretty lucky here - though there's some concern over a possible compromise of libarchive too due to the author of this backdoor having contributed code there.

Hopefully it serves as a sufficient wake-up call for the OSS community to improve processes to fend off these attacks, and ideally, the trillion dollar corporations that benefit from much of this free and open source software could contribute back more to help much more than they currently do.