The xz project, a tool used by many Linux distributions for compressing files, was compromised by a malicious actor who gradually took over the project and inserted a backdoor.
The attack, discovered accidently on March 29, 2024, by a developer named Andres Freund, during performance testing, was carried out over several years by the GitHub account Jia Tan (JiaT75), who gained the trust of the long-time maintainer of the xz project and eventually replaced them as the main point of contact.
The backdoor was added in versions 5.6.0 and 5.6.1 of xz Utils, a software package that includes the xz library. This backdoor allows attackers unauthorized access on systems that have the compromised versions installed.
The impact of this backdoor is significant because of xz’s use in many systems around the world, including popular Linux distributions like Red Hat and Debian.
In this blog post, we will provide a timeline of the events, look at the key people involved, and discuss what this incident means for the open-source community and the importance of maintaining the security and integrity of widely-used software libraries.
Key Findings
Gaining Reputation Over Time
The xz compression library, a widely-used tool for compressing files, found across Linux distributions, community projects, and commercial products, was compromised by a malicious actor named Jia Tan (JiaT75) who gradually and patiently gained maintainer status in order to pull off the attack, ultimately introducing a backdoor identified as CVE-2024-3094.
The attack began in 2021 when Jia Tan created their GitHub account and began using it for various activities.
In April 2022, Jia Tan submitted a patch to the xz project via a mailing list. Soon after, unknown accounts, including one named Jigar Kumar and another named Dennis Ens , began pressuring the long-time maintainer of xz, Lasse Collin, to merge the patch and add a new maintainer to the project. Lasse Collin, who had limited availability to take care for the project, eventually agreed to add Jia Tan as a maintainer. A decision that is in fact not unusual in the open-source community, where maintainers often hand off projects to others due to various reasons.
Over the next two years, Jia Tan became a regular contributor to the xz project, gaining trust within the community.
By March 2023, Jia Tan had become the primary contact for xz in Google's oss-fuzz, a platform for finding vulnerabilities in open-source software.
Most Sophisticated Supply Chain Attack We Know
The backdoor itself was introduced in versions 5.6.0 and 5.6.1 of xz Utils, a software package that includes the xz library. The malicious code allows attackers unauthorized access by infecting the SSH on systems with the compromised versions installed, making it a significant threat to users of the library.
A Discovery
The backdoor was accidentally discovered on March 29, 2024, by Andres Freund during routine performance testing. Freund noticed unusual CPU usage in the sshd process, which led him to investigate further and uncover the malicious code. This accidental discovery, the backdoor could have gone unnoticed for a longer period, effecting a large part of the open source ecosystem.
Impact
The impact of the backdoor could have had particularly severe consequences due to the widespread use of xz in compressing critical software components, including popular Linux distributions like Red Hat and Debian. Many systems worldwide rely on xz for compressing and decompressing files, making the potential reach of the backdoor extensive.
Advanced Persistent Threat
The involvement of multiple identities. The complexity of the payload, and the high level of technical expertise required, along with the patience and persistence shown in gradually gaining trust within the xz community over several years before introducing the backdoor. All these are consistent with the capabilities of nation-state actors and are qualities of advanced persistent threats (APTs).
This incident is part of a growing and alarming trend of advanced persistent threats (APTs) targeting critical open-source projects.
Conclusion
The xz compromise highlights the urgent need for the open-source community to improve its security practices and tools to prevent similar attacks in the future. Collaboration, transparency, and shared responsibility are essential to detecting and mitigating advanced persistent threats (APTs) targeting critical open-source projects.
We, the community must develop more effective strategies, to strengthen the security of open-source software. By learning from this incident and taking proactive measures, the open-source community can build a more resilient and trustworthy ecosystem, ensuring the long-term success and integrity of open-source projects in the face of ever-evolving cybersecurity threats.
Working together to keep the opensource ecosystem safe.
The Checkmarx Security Research Team continuously investigates potentially vulnerable websites, applications, APIs, devices, open source packages, and other software-driven technologies. The team is dedicated to examining, discovering, replicating, classifying, and responsibly disclosing vulnerabilities in software as part of their ongoing efforts to drive the necessary changes in the software security practices among organizations worldwide. The team often provides examples of what common pitfalls to look out for, how to lessen common coding errors, and what to avoid when developing software. Their highly respected research, secure coding guides, blogs, and reports are largely noted as some of the best in the industry.
The Checkmarx Security Research Team continuously investigates potentially vulnerable websites, applications, APIs, devices, open source packages, and other software-driven technologies. The team is dedicated to examining, discovering, replicating, classifying, and responsibly disclosing vulnerabilities in software as part of their ongoing efforts to drive the necessary changes in the software security practices among organizations worldwide. The team often provides examples of what common pitfalls to look out for, how to lessen common coding errors, and what to avoid when developing software. Their highly respected research, secure coding guides, blogs, and reports are largely noted as some of the best in the industry.
By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to
the
processing of my personal data as described therein. By clicking submit below, you consent to allow Checkmarx
to store and process the personal
information submitted above to provide you the content requested.