The ‘xz’ Back Door
Dan Goodin, writing for Ars Technica:
The compression utility, known as xz Utils, introduced
the malicious code in versions 5.6.0 and 5.6.1, according
to Andres Freund, the developer who discovered it. There
are no known reports of those versions being incorporated into any
production releases for major Linux distributions, but both Red
Hat and Debian reported that recently published
beta releases used at least one of the backdoored versions — specifically, in Fedora Rawhide and Debian testing, unstable and
experimental distributions. A stable release of Arch Linux is also
affected. That distribution, however, isn’t used in production
systems. […]
Several people, including two Ars readers, reported that the
multiple apps included in the HomeBrew package manager for macOS
rely on the backdoored 5.6.1 version of xz Utils. HomeBrew has now
rolled back the utility to version 5.4.6. Maintainers have more
details available here.
There are several notable things about this hack. One is that it was years in the making — “Jia Tan”, the developer who added the back door, had been contributing legit patches to the xz project for years. Another is that it was very subtle: the ultimate goal was a back door in OpenSSH but the attacker(s) put their code in a compression library that was sometimes a dependency for another library that was itself only sometimes a dependency of OpenSSH. Yet another is that it seems nearly miraculous that it was discovered — Andres Freund, the Microsoft engineer who uncovered it, only became suspicious when he noticed that his SSH connections initiated from the command line went from taking about 0.2 seconds to 0.7 seconds. It pays to be picky sometimes!
More from Goodin here, including a good overview diagram.
Question 1: How do we keep this from happening again?
Question 2: How do we know similar back doors haven’t been successfully put in place already?
Evan Boehs: “Everything I Know About the XZ Backdoor”.
★
Dan Goodin, writing for Ars Technica:
The compression utility, known as xz Utils, introduced
the malicious code in versions 5.6.0 and 5.6.1, according
to Andres Freund, the developer who discovered it. There
are no known reports of those versions being incorporated into any
production releases for major Linux distributions, but both Red
Hat and Debian reported that recently published
beta releases used at least one of the backdoored versions — specifically, in Fedora Rawhide and Debian testing, unstable and
experimental distributions. A stable release of Arch Linux is also
affected. That distribution, however, isn’t used in production
systems. […]
Several people, including two Ars readers, reported that the
multiple apps included in the HomeBrew package manager for macOS
rely on the backdoored 5.6.1 version of xz Utils. HomeBrew has now
rolled back the utility to version 5.4.6. Maintainers have more
details available here.
There are several notable things about this hack. One is that it was years in the making — “Jia Tan”, the developer who added the back door, had been contributing legit patches to the xz project for years. Another is that it was very subtle: the ultimate goal was a back door in OpenSSH but the attacker(s) put their code in a compression library that was sometimes a dependency for another library that was itself only sometimes a dependency of OpenSSH. Yet another is that it seems nearly miraculous that it was discovered — Andres Freund, the Microsoft engineer who uncovered it, only became suspicious when he noticed that his SSH connections initiated from the command line went from taking about 0.2 seconds to 0.7 seconds. It pays to be picky sometimes!
More from Goodin here, including a good overview diagram.
Question 1: How do we keep this from happening again?
Question 2: How do we know similar back doors haven’t been successfully put in place already?
Evan Boehs: “Everything I Know About the XZ Backdoor”.