XZ-Backdoor: An Agent Thriller
10.04.2024
Falk Krämer
Falk Krämer
First things first, our products are not affected*
What Happened?
In SSH, one of the most important administration tools, a backdoor almost found its way into almost all major Linux distributions[1].
The Plot
Since 2009, Jesse Collin has been the only developer and maintainer running an open source project for a library that compresses data. He is overwhelmed and mentally distressed. In 2021, a developer under the name Jia Tan offers him support. He gains his trust and is able to take more and more control over the project. He exploits this to install a backdoor, which then finds its way into the release version in January 2024. The backdoor is “only” accessible if the compression library is linked to an SSH server.
Subsequently, various people exerted subtle pressure on the distributions to include the new version after all. This did happen, but until the backdoor was discovered, the compromised version was only included in the pre-release versions. Greater damage was thus avoided.
Scene change: Andres Freund, a PostgreSQL developer with German roots, conducts performance tests in his spare time. He did a “micro-benchmarking”, as he said, to reduce the “noise”. He noticed that between two versions of SSH, the system load during a login increased slightly and the process took around 500 ms longer than before. He meticulously investigated the matter further and came across further suspicions. He went public with his findings and shared his knowledge with security experts.
The pieces of the puzzle were quickly put together. It turned out that a rather perfidious backdoor had been installed. It was not introduced in the library code, but in the testing routines. These receive little attention and are not normally compiled for a release package. In this case, however, Jia Tan had ensured that the compromised code was also included in the finished packages.
*Why we are not affected:
- We compile everything ourselves. The testing code cannot sneak into our system due to the way we work.
- The affected version of Debian is still unstable/testing. We follow Debian stable or oldstable.
- systemd is necessary to exploit the backdoor, which we do not use.
References:
[1]: “Everything I Know About the XZ Backdoor”: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
[2]: Kevin Beaumont, a well-respected security researcher, assesses the situation: https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd