XZ Backdoor: Everything You Need to Know


On Friday, Microsoft’s own developer shook the world when he revealed a back door it was deliberately planted in XZ Utils, an open source tool available for almost all Linux systems and other Unix operating systems. The person or people who run the project must have spent many years doing the work. He must have been close enough to see backend updates being included in Debian and Red Hat, the two major Linux distributions, when the eagle-eyed programmer noticed something.

“This may be the most sophisticated attack we’ve ever seen publicly, and it’s very complex: malicious, sophisticated, high-level validation in a widely used library,” software and cryptography expert Filippo Valsorda said. he said of effort, which is about to succeed.

Investigators spent the weekend gathering information. Here’s what we know so far.

What is XZ Utils?

XZ Utils is almost everywhere in Linux. It provides lossless data compression for almost all Unix operating systems, including Linux. XZ Utils provides essential data compression and deduplication services for all types of applications. XZ Utils also supports the .lzma legacy format, which makes this feature very useful.

What happened?

Andres Freund, a programmer and engineer who works on Microsoft’s PostgreSQL offering, was recently solving system problems that Debian was experiencing with SSH, a protocol widely used for remote access to devices on the Internet. In particular, SSH logins were consuming too much CPU and were throwing errors the gate of choicea computer memory analysis tool.

Through luck and Freund’s careful eye, he eventually discovered that these problems were the result of changes made to XZ Utils. On Friday, Freund took to the Open Source Security List to reveal the changes were the result of someone deliberately planting a backdoor in a forced program.

What Does a Backdoor Do?

Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 changed the way the software worked when performing operations related to .lzma compression or decompression. When these services affect SSH, they allow malicious code to be executed with root privileges. This code allowed someone with the pre-encrypted key to log into the reverse system via SSH. From then on, that person will have the same authority as any legitimate ruler.

How Did This Back Door Come to Be?

It seems that this background was there for many years. In 2021, someone with the username JiaT75 created it first known to the open project. In the past, a change to the libarchive project is questionable, because it replaced the safe_fprint funcion with an update that is known to be more secure. No one noticed at the time.

A year later, JiaT75 submitted a patch to the XZ Utils mailing list, and, almost immediately, a previously unseen Jigar Kumar joined the discussion and claimed that Lasse Collin, the long-time maintainer of XZ Utils, was absent. update programs often or quickly enough. Kumar, with the help of Dennis Ens and several other people who had never been on the series, convinced Collin to bring in another producer to continue the project.

In January 2023, JiaT75 made their own first commitment at XZ Utils. In the following months, JiaT75, who used the alias Jia Tan, became heavily involved in XZ Utils activities. For example, Tan replaced Collins and his colleagues at oss-fuzz, a project that scans open source software for exploitable vulnerabilities. Tan also requested that oss-fuzz turn off the ifunc function during testing, a change that prevented the detection of any malicious changes that Tan may soon make to XZ Utils.

In February this year, Tan released versions 5.6.0 and 5.6.1 of XZ Utils. Changes were made in the background. In the following weeks, Tan or others asked the developers of Ubuntu, Red Hat, and Debian to incorporate the changes into their OSes. Eventually, one of the two changes made its way into several books, According to security company Tenable. There is more about Tan and time Here.

Can You Say More About What This Backdoor Does?

In short, it allows someone with the right private key to hack sshd, a file that can create SSH connections, and from there issue malicious commands. The back door is accessed through five doors that use simple but clever methods to hide. It also provides ways to provide new payments without major changes being required.

A number of people who have updated the update have a lot to say about the backdoor. Founder Sam James presented summary here.


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *