A backdoor has been discovered in the popular xz Utils package for lossless data compression and working with the .xz format Backdoor is a method of bypassing standard authentication procedures, unauthorized remote access to a computer.
On Friday, users urged to immediately stop using Fedora 41 distributions 5.6.0 and Fedora Rawhide distributions 5.6.0 or 5.6.1.
There are suspicions about other distributions. However, there is no confirmation at this time.
ArsTechnica said details of the incident.
xz Utils
XZ Utils — is a set of free programs for data compression. It is available in every Linux distribution and other Unix-like operating systems.
xz Utils provides critical functions for compressing and decompressing data during all kinds of operations.
What happened?
The first to notice the problem was developer Andres Freund, who works on Microsoft’s PostgreSQL offerings. Recently, he was troubleshooting Debian system performance issues with SSH, the most common protocol for remotely logging into devices over the Internet.
Specifically, SSH login was heavily loading the CPU and generating errors with valgrind, a memory monitoring utility.
He eventually discovered that the problems were the result of updates to xz Utils. The developer officially contacted the Open Source Security List and stated that the updates were the result of someone intentionally installing a backdoor into XZ Utils.
What does the backdoor do?
The malicious code added to xz Utils versions 5.6.0 and 5.6.1 changed the way the software works during operations.
When these functions included SSH, they allowed malicious code to be executed with root privileges. It allows someone with a predefined encryption key to log into a backdoor system via SSH.
Looking back, changes in the libarchive project are suspicious because they replaced the safe_fprint function with a variant that has long been considered less secure. At the time, no one noticed.
The following year, JiaT575 submitted a fix to the xz Utils mailing list, and almost immediately, a previously unnoticed contributor joined the discussion, claiming that xz Utils developer Lasse Collin hadn’t updated the software in a long time.
This pressure led to JiaT575 joining the project.
In January 2023, he participated for the first time in development. And in the following months, he allegedly became more and more involved in the process.
- JiaT575 replaced Collins’s contact information with his own in Microsoft’s oss-fuzz, a project that scans open source software for signs of maliciousness.
- He also made sure to disable the ifunc function during testing. This allowed the security system to ignore the changes made.
- In February 2024, JiaT575 issued commits for versions 5.6.0 and 5.6.1 xz Utils. The updates implemented a backdoor.
In the weeks that followed, Tan and others called on Ubuntu, Red Hat, and Debian developers to add updates to their system updates. And even some were due out soon.
The backdoor is implemented with a five-stage bootloader that uses a number of simple but clever techniques to hide itself. It also provides a means to deliver new payloads without the need for major changes.