The recently discovered XZ backdoor

111 viewsOtherTechnology

Saw some twitter posts about it and seems like an interesting story, but all the discussion I’ve seen assumes some base technical understanding. I’m unfamiliar with Linux and even concepts like what a backdoor is I can at best guess a surface level meaning.

In: Technology

5 Answers

Anonymous 0 Comments

It allows the encryption keys used by ssh (software for controlling the system over a network) to be exposed to an attacker.

You normally enter your house from the front door right? Well you do that with a computer too. A backdoor is software that an attacker manages to install on someones system that allows them to access it without having permission.

Anonymous 0 Comments

There is a popular ziping library for Linux called XZ.

Someone (probably the maintainer) managed to embed a malware in the latest version of it that goes to SSH (Remote desktop for terminals) and disables certain security features letting someone who knows they have been disabled remote in to a server with an open SSH port.

Once in, they can do whatever they want

Anonymous 0 Comments

xz is a compression utility – similar in concept to making .zip files. Its main use is lossless compression for command line utilities, which is to say that it guarantees when it is uncompressed the result is a byte-for-byte clone of the original data. It’s used by a lot of important security software, and is included as a library for many other utilities. A library is just a term used for tools used by other tools.

On 2/23 a trusted developer on the project committed (added) some code that was obfuscated (not clear in what it does), and since that developer was trusted that code made its way into a release of xz that people could install. It’s unclear whether that person did it intentionally or had their system compromised or some other explanation, but it doesn’t look good.

The back door part comes into play with one of the main ways xz is used – SSH. SSH is an encrypted protocol between two machines where text commands can be exchanged, allowing a user to interact with a server. It’s a very common utility in the Linux world and the security of this communication is critical. The back door means that the connection is no longer private and could allow an attacker to insert their own text commands into the secure connection.

ELI5 version – you are having a private text exchange with a friend, but someone slipped in to the convo and is reading your texts, and even sending new ones to your friend telling them lies and to do things they shouldn’t – all as if it was coming directly from you.

People may have installed a compromised version during the month this was in the wild. However many of the safer versions of Linux (the kinds that run on servers) take 6+ months to include new updates like this, so it’s only people who are running the very latest of everything that would have been affected. That doesn’t mean someone who installed it was actually compromised- just that they were at risk during the time.

You can read more here: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

Anonymous 0 Comments

Just adding to what others here have answered: unless you use a bleeding edge or pre-release version of a Linux distribution (Gentoo, Fedora 41 come to mind) this backdoored version hasn’t landed on your computer yet.

Anonymous 0 Comments

There is a popular compression algorithm called XZ. And it seams that somebody were able to sneak malicious code into that project. Among other they hid their code as test data. This code does nothing unless it is running as part of SSH. SSH (Secure SHell) allows administrators to log into remote servers and is obviously a very well protected project which is how this backdoor was discovered. By default OpenSSH does not include XZ but a lot of Linux distributions like Debian and RedHat modifies OpenSSH to work better with SystemD, a service manager. And these modifications require XZ to be included which pulls the malicious code into the SSH server process. Once in the process it modifies the code that does authentication. It might therefore be able for this person who added this code to the XZ library to log into most Linux servers.

Fortunately this was discovered before the malicious code got deployed to any major production systems. It was very well hidden but a few mistake ended up getting discovered in the test version of Debian. This would be scheduled to be release some time in 2025. The backdoor was included in Fedora 41 which is a desktop variant of RedHat and therefore includes newer versions of packages. It might have affected the RedHat release which probably comes in 2025 as well. So there are very few Linux servers affected by this attack at all.