2024-03-30 21:33:00
Researchers have discovered a malicious backdoor in a compression tool that infiltrated widely used Linux distributions, including those from Red Hat and Debian. The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1 according to Andres Freund, the developer who discovered it.
There are no known reports of these versions being included in production releases of major Linux distributions, but Red Hat and Debian have reported that recently released beta versions use at least one of the retroactive versions, particularly in Fedora Rawhide and Debian testing, unstable and experimental distributions. A stable version of Arch Linux is also affected. However, this distribution is not used in production systems.
Because the backdoor was discovered before malicious versions of xz Utils were added to production versions of Linux, “it doesn’t affect anyone in the real world,” said Will Dormann, principal vulnerability analyst at the company. Security Analysis. “But that’s only because it was discovered quickly due to the negligence of a bad actor.” If it had not been discovered, it would have been catastrophic for the whole world.”
Introduction of the backdoor
On February 23, an update added obfuscated code, and the following day, a malicious installation script injected itself into the functions used by sshd, the binary file that allows SSH to work. The malicious code has only been present in archived versions (known as tarballs), which are released upstream. GIT code available in repositories is not affected, although it contains second-stage artifacts allowing injection during build. If the obfuscated code introduced on February 23 is present, artifacts in the GIT release allow the backdoor to work.
The malicious edits were submitted by JiaT75, one of the two main developers of xz Utils with years of contributions to the project. Andres Freund, the developer who discovered the backdoor, noted that given the activity over several weeks, the contributor is either directly involved or their system has been compromised quite severely. “Unfortunately, the latter explanation seems the least likely, given that he has been posting on various lists about ‘fixes’ provided in recent updates,” he continued.
On Thursday, someone using the developer’s name took to a developer site for Ubuntu to request that the backdated version 5.6.1 be incorporated into production builds because it fixed bugs that caused a device to malfunction. tool known as Valgrind.
“This could disrupt build scripts and testing pipelines that expect specific results from Valgrind to succeed,” the person warned, from an account created the same day.
One of Fedora’s managers said Friday that the same developer had approached him in recent weeks to request that Fedora 40, a beta version, incorporate one of the retroactive utility releases.
“We even worked with him to fix the valgrind issue (which turned out to be caused by the backdoor he added),” the Ubuntu official said. “It’s been part of the xz project for two years, adding all kinds of binary test files, and with this level of sophistication we would be wary of older versions of xz until proven otherwise.”
According to the researchers, the malicious versions intentionally interfere with authentication performed by SSH, a protocol commonly used to remotely log into systems. SSH provides strong encryption to ensure that only authorized parties connect to a remote system. The backdoor is designed to allow a malicious actor to break authentication and, from there, gain unauthorized access to the entire system. The backdoor works by injecting code during a key phase of the login process.
“I have not yet analyzed precisely what is checked in the injected code to allow unauthorized access,” Freund wrote. “Given that this code is executed in a preauthentication context, it seems likely that it enables some form of access or other form of remote code execution.”
In some cases, the backdoor failed to work as expected. The Fedora 40 build environment, for example, contains incompatibilities that prevent injection from occurring correctly. Fedora 40 has now reverted to xz Utils versions 5.4.x.
Xz Utils is available for most Linux distributions, but not all include it by default. Anyone using Linux should immediately check with their distributor to see if their system is affected. Freund provided a script to detect if an SSH system is vulnerable.
Several people reported that applications included in the HomeBrew Package Manager for macOS were using xz Utils version 5.6.1 with the backdoor. HomeBrew has since downgraded the utility to version 5.4.6.
Affected distributions
Red Hat warned Friday that a malicious backdoor discovered in the widely used xz data compression software library may be present in instances of Fedora Linux 40 and the Fedora Rawhide developer distribution. The IT major said the malicious code, which appears to provide remote access via OpenSSH and systemd at least, is present in xz 5.6.0 and 5.6.1. The vulnerability has been named CVE-2024-3094. It is rated 10 out of 10 in the CVSS severity.
Fedora Linux 40 users may have received version 5.6.0, depending on when their system was updated, according to Red Hat. Users of Fedora Rawhide, the current development version of what will become Fedora Linux 41, may have received version 5.6.1. Fedora versions 40 and 41 have not yet been officially released; version 40 should be released next month.
Users of other Linux distributions and OS should check which version of the xz suite they have installed. The infected versions, 5.6.0 and 5.6.1, were released on February 24 and March 9, respectively, and may not have made it into many people’s deployments.
This supply chain compromise may have been detected early enough to prevent widespread exploitation, and it may only be affecting cutting-edge distros that immediately picked up the latest versions of xz.
Debian Unstable and Kali Linux indicated that they, like Fedora, were affected; All users should take steps to identify and remove any rollbacked versions of xz.
“Please immediately stop using any instance of Fedora Rawhide for your work or personal activities,” the IBM subsidiary said. “Fedora Rawhide will be downgraded to version xz-5.4.x soon. Once this is done, Fedora Rawhide instances can be safely redeployed.”
Red Hat Enterprise Linux (RHEL) is not affected.
SUSE has released a hotfix for openSUSE users.
The malicious code in xz versions 5.6.0 and 5.6.1 has been obfuscated, according to Red Hat, and is only present in the source code archive. Second-stage artifacts in the Git repo are transformed into malicious code through the M4 macro in the repo during the build process. The resulting poisoned xz library is unknowingly used by software, such as the systemd operating system, after the library has been distributed and installed. The malware appears to have been designed to alter the operation of OpenSSH server daemons that use the library via systemd.
“The resulting malicious version interferes with authentication in sshd via systemd,” explains Red Hat. “SSH is a commonly used protocol for connecting to systems remotely, and sshd is the service that allows access.”
Conclusion
This authentication interference can allow an attacker to break sshd authentication and remotely gain unauthorized access to an affected system. In summary, the backdoor appears to work as follows: Linux machines install the xz library – more precisely, liblzma – and this dependency is ultimately used in some way by the computer’s OpenSSH daemon. At this point, the poisoned xz library is able to interfere with the daemon and allow an unauthorized attacker to connect remotely.
This finding highlights the importance of security in the software supply chain and highlights potential risks for SSH systems. It is essential to closely monitor updates and verify the integrity of tools and libraries used in Linux distributions and other operating systems.
Sources : Andre’s friend, HomeBrew, Ubuntu, Red Hat CVE-2024-3094, Red Hat security advisory, SUSE, Debian
And you ?
What is your opinion on security in the software supply chain? Do you think software developers and maintainers should be more careful when integrating third-party updates or libraries?
How might this affect user trust in Linux distributions and open source tools? Could the discovery of this backdoor lead to increased distrust of open source software? How can open source projects build user trust?
What additional security measures should be put in place to detect and prevent such threats? How can we improve early detection of backdoors and vulnerabilities in widely used software?
What role do businesses and organizations play in verifying the security of the software they use? Should they invest more in independent security audits to ensure the tools they use are free of backdoors?
How can we make users and developers more aware of the importance of software security? What educational or awareness initiatives could help prevent such situations in the future?
1711838052
#Backdoor #discovered #popular #Linux #compression #utility #breaks #encrypted #SSH #connections