Linux, the world’s most widely used open source operating system, narrowly escaped a massive cyberattack over the Easter weekend, all thanks to a volunteer.
The backdoor has been inserted into a recently released Linux compression format called XZ Utils, a tool little known outside the Linux world but used in almost every Linux distribution to compress large files, making them more Easy to transfer. If it spreads more widely, countless systems could be compromised for years.
and as technical art In its detailed review, it was noted that the culprits had been working on the project in public.
The vulnerability was inserted into Linux remote logins, exposing itself to only a single key and therefore hiding from scans of public computers.As Ben Thompson writes Strategy. “Most of the computers in the world are vulnerable, but no one would know it.”
The story of the discovery of the XZ backdoor began in the early morning of March 29, when Andres Freund, a Microsoft developer in San Francisco, posted on Mastodon and sent an email to OpenWall’s security mailing list with the title: “Upstream xz/liblzma in Backdoor leads to ssh server compromise.”
Freund, who volunteers as a “maintainer” for the Linux-based database PostgreSQL, noticed something strange while running tests over the past few weeks. The encrypted logging of liblzma (part of the XZ compression library) uses a lot of CPU. Freund wrote on Mastodon that none of the performance tools he used revealed anything. This immediately made him suspicious, and he remembered that a few weeks earlier a Postgres user had made “weird complaints” about Valgrind, the Linux program that checks for memory errors.
After some sleuthing, Freund finally discovered the problem. “The upstream xz repository and xz tarball have been backdoored,” Freund noted in the email. The malicious code resides in versions 5.6.0 and 5.6.1 of the xz tool and library.
Shortly after, enterprise open source software company Red Hat issued an emergency security alert to Fedora Rawhide and Fedora Linux 40 users. Ultimately, the company concluded that the Fedora Linux 40 beta contained two affected versions of the xz library. Fedora Rawhide releases may also have received version 5.6.0 or 5.6.1.
Please immediately stop using any Fedora RAWHIDE instance for work or personal activities. Fedora Rawhide will be reverted to xz-5.4.x soon, and once completed, Fedora Rawhide instances can be safely redeployed.
Although a beta version of free Linux distribution Debian contained compromised packages, its security team moved quickly to restore them. “No stable releases of Debian are currently known to be affected,” Debian’s Salvatore Bonaccorso wrote in a security alert to users on Friday evening.
Freund later identified the person who submitted the malicious code as one of the two main developers of xz Utils, namely JiaT75 or Jia Tan. “Given the weeks of activity, the committers were either directly involved or had some pretty serious damage to their systems. The latter, unfortunately, considering they were communicated on various lists regarding the aforementioned “fix” This explanation seems unlikely,” Freund wrote in his analysis, linking several workarounds proposed by JiaT75.
JiaT75 is a familiar name: they’ve worked side by side for some time with Lasse Collin, the original developer of the .xz file format. As programmer Russ Cox noted in his timeline, JiaT75 first sent an apparently legitimate patch to the XZ mailing list in October 2021.
A few months later, as other parts of the program unfolded, two other identities, Jigar Kumar and Dennis Ens, began emailing Collin to complain about bugs and the slow development of the project. However, as Evan Boehs and others point out in the report, “Kumar” and “Ens” have never appeared outside of the XZ community, leading investigators to believe both are fakes and exist solely to help Jia Tan steps up to deliver the backdoor code.
“I’m sorry for your mental health issues, but it’s important to know your limits. I know this is a hobby project for all contributors, but the community wants more,” Enns wrote in a message Road, while Kumar said in a separate message that “no progress will be made unless there are new maintainers.”
During this back-and-forth, Collins wrote, “I have not lost interest, but my nursing abilities are quite limited, primarily due to long-term mental health issues, but also due to a number of other reasons,” and advises Jatan Take a bigger role. “It’s best to remember this is a pro bono hobby project,” he concluded. Emails from “Kumar” and “Ens” continued until later that year when Tan was added as a maintainer, able to make changes and attempt to introduce backdoor packages into Linux distributions with more permissions.
The xz backdoor incident and its aftermath are an example of the beauty of open source and the staggering vulnerabilities in the Internet’s infrastructure.
Developers behind popular open source media package FFmpeg highlight this issue in a tweetsaid: “The xz fiasco shows how reliance on unpaid volunteers can lead to serious problems. Trillion-dollar companies expect free and urgent support from volunteers.” They also brought receipts noting how they dealt with the impact “High priority” error in Microsoft Teams.
Despite Microsoft’s dependence on its software, the developers wrote that “after politely requesting a long-term maintenance support contract from Microsoft, they offered a one-time payment of several thousand dollars…for maintenance and sustainability.” The investment is unglamorous and may not lead to a promotion for the middle manager, but will pay off a thousandfold over the years.”
A group of developers and cybersecurity professionals are taking to social media and online forums to reveal details about who is behind “JiaT75”, how they carried out their plans, and the extent of the damage. But this is happening without direct financial support from the many companies and organizations that benefit from using security software.