A vulnerability carefully crafted into the widely used xz Ultils library was about to roll out to popular Linux distributions. Thanks to a vigilant developer and a bit of luck, a bloodbath was avoided.
The open source world has been shocked by a vulnerability that came to light last Friday. CVE-2024-3094 is a backdoor injected into xz Utils, a library ubiquitous in Unix-based operating systems. According to security analysts, this vulnerability could have potentially affected millions of Linux devices and could have been even larger than the infamous SolarWinds hack from 2020.
The vulnerability was spotted by Andres Freund, a developer on Microsoft’s payroll. Freund stumbled upon it by chance: he was troubleshooting performance issues with the SSH protocol in Debian. He discovered that the problems were due to recent updates to xz Utils and subsequently alerted the open source community of an intentional backdoor into the library.
Barely
That message came just in time. CVE-2024-3094 had already made its way to a handful of Linux distributions, including Fedora, Kali, openSUSE, and test builds of Debian. The attackers’ ultimate goal was to spread the vulnerability through popular Linux distributions from Red Hat, Debian, and Ubuntu.
The backdoor itself is technically complex, so the attackers knew very well what they were doing. It uses an unknown feature in xz that is only activated when the library is loaded on an affected distribution. The SSH verification code is changed so that attackers can obtain the keys to the device on which the library is loaded.
Against the flow
It is unknown who was behind the attack, but one of the key figures is a developer who operated under the alias Jia Tan. In any case, the perpetrator(s) had patience: Jia Tan first made himself heard in 2021. From 2023 onwards, Tan got xz Utils in his sights. Together with accomplice accounts, he personally targeted the library administrator and accused him of rolling out too few updates for xz Utils.
Tan then started making contributions himself and becoming increasingly involved in the management of xz Utils. In February, he finally planted the malicious seed in the library and urged developers from Red Hat, Debian, Ubuntu, and other distributions to roll out that update to their operating systems.
So the plan was to work upwards first and take control of xz Utils and then hit users of popular Linux distributions downwards. If that plan had succeeded, the consequences would have been catastrophic.
