Xz Utils Supply-Chain Attack and What it Means for You

Published: 

The following are notes for a lightning talk I gave at the New York Amateur Computer Club's monthly meeting on 11 April 2024.

The short URL for this page is https://go.glump.net/xz .


Xz Utils is a part of the Linux operating system and ecosystem, and Microsoft researcher discovered at the end of March 2024 that Xz Utils has been comprormised with a backdoor feature designed to allow an attacker with a certain secret key gain full access to any system where the code got installed.

This type of compromise is known as a "supply-chain attack". A spply-chain attack is one where someone installs malicious code onto a system by placing the malicious code somewhere controlled by the attacker where the target system will fetch and install the malicious code. The two most common forms of supply-chain attacks are:

The attack we found in Xz Utils is more insidious: an attacker picked a component of Linux that they thought they could influence, and they spent years building up trust as an actual authorized editor of the target project. They then inserted obfuscated attack code into the testing code of Xz, which when run inserts another layer of the attack code into the software builder's workspace containing Xz's real source code; that gets compiled, and then delivered as part of an operating system's software library. The attack code actually depends on SSH and Systemd β€” other components of Linux that most servers have installed β€” to achieve its goal.

The goal was to get installed everywhere on as many Linux systems as possible, and when the attacker knocks on the door of one of the infected systems, the attacker is let in and given full access. The attack is setup is such a way that no one else can take advantage of it; if you don't have the attacker's secret key, you can't get it.

How the Xz Comprormise was Discovered

Andres Freund, a researcher working for Microsoft, was testing software with the "latest" version of a Linux OS. He discovered an unexpected high CPU load at the start of every SSH remote login session, and eventually figured out that Xz was causing the problem, and then looked at Xz's source code, and had to eventually look at changes in Xz's test scripts to finally find the malicious code that explained the performance problem he found.

He quickly published what he found, and the malicious versions of Xz were removed from current builds of Linux operating systems.

The attack was discovered months before the malicious code was propagated to mainstream "long-term support" releases of popular Linux OSes, and billions of dollars in economic damage were averted β€” damage from the attack itself and the eventual scramble to fix it after it would have maybe been found in the wild with basically the whole world already compromised.

What Does this Mean for Me?

The Xz Utils supply chain attack is a rare and extremely dangerous attack where someone with a lot of resources and time spent years building up trust and getting their attack payload installed through the proper channels in the proper way, acting as a real author and maintainer in the project they chose as their vector of the attack.

It was only pure luck that allowed a researcher to find the problem when they were testing something completely unrelated, and that it happened months before being included in major operating system releases that get installed and used for years on systems you depend on all over the world for web services that you use every day.

We can't stop this from happening again. In fact, similar attacks are probly going on right now, perpetrated by different people, using software packages other than Xz as attack vectors. And they haven't been discovered yet and may never be discovered.

Nothing can be completely secured. The best we can do is have layers of security that make it harder for any one comrpromise to drastically affect our lives. Here are some general layers of security you can add to your life to help you get through incidents like this when they become a global disaster:

Andres Freund published his findings on 29 March 2024 in the OSS Security mailing list.

Bleeping Computer reported on the story, and then posted a follow-up about a scanner to help find infected systems.

Fireship did an excellent 4 minute technical summary video about what happened.

Low Level Learning reported on some follow-up analysis done by the community last week.

Comments

Add Comment

* Required information
5000
Powered by Commentics

Comments

No comments yet. Be the first!