XZ Utils: Beware of Open-Source Supply Chain Attacks

April 4, 2024
1 min read




Article Summary

TLDR:

The XZ Utils open-source software supply chain attack was discovered by a Microsoft engineer, thwarting a sophisticated backdoor in the XZ Utils library. The attack, planned since 2021, targeted popular Linux distributions but was caught in time. The attack involved a social engineering scheme to onboard a malicious actor as a co-maintainer for XZ Utils, resulting in a critical backdoor with remote code execution capabilities. The backdoor was hidden in liblzma, a dependency of OpenSSH sshd in Linux distros, and was able to avoid detection due to slow deployment of updates.

Years in the making, an open-source software supply chain attack was recently thwarted by an engineer after discovering it by chance. An open-source software maintainer was socially engineered to onboard a malicious actor as a co-maintainer for a popular Linux library, XZ Utils, which was then compromised with a backdoor. The attack, possibly planned and under execution since at least 2021 to target several Linux distributions, could have proven catastrophic had it not been discovered in time. Late last month, a Microsoft engineer who volunteers for RDBMS PostgreSQL caught what is described as one of “the best executed supply chain attack we’ve seen described in the open.”

The attack involved Jia Tan, a maintainer of XZ Utils, who stealthily merged a hidden backdoor binary code under the guise of binary test input files. This backdoor, tracked as CVE-2024-3094, allowed unauthenticated remote code execution on affected systems. The attack was nearly undetectable and could have had a massive impact on Linux systems had it not been detected in time. The discovery of the attack came about as a stroke of luck and highlights the need for more rigorous security testing and vigilance in the open-source community.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and