A recent analysis has revealed that the malicious code embedded in the widely-used open-source library XZ Utils (present in multiple Linux distros) can enable remote code execution. The attack scenario is based on the critical CVE-2024-3094 vulnerability.
CVE-2024-3094 Explained
This compromise, identified as CVE-2024-3094 with a CVSS score of 10.0, was brought to light by Microsoft engineer and PostgreSQL developer Andres Freund. Freund noticed unusually high CPU usage by sshd processes during system benchmarking, which led to the discovery of a backdoor in the XZ Utils data compression utility. This backdoor makes it possible for remote attackers to circumvent secure shell authentication and obtain complete access to affected systems.
The malicious backdoor code was intentionally introduced by one of the project maintainers, Jia Tan (also known as Jia Cheong Tan or JiaT75), in a planned attack spanning several years. The GitHub account associated with this activity was created in 2021, but the identity of the actor(s) remains unknown. According to reports, the threat actor gained credibility within the XZ project over nearly two years before being granted maintainer responsibilities.
The attacker used sockpuppet accounts such as Jigar Kumar and Dennis Ens to submit feature requests and report issues, pressuring the original maintainer, Lasse Collin of the Tukaani Project, to add a new co-maintainer to the repository. Jia Tan introduced changes to XZ Utils in 2023, leading to the release of version 5.6.0 in February 2024, which included a sophisticated backdoor.
Collin acknowledged the breach and confirmed that the compromised release tarballs were created and signed by Jia Tan, who had access to the now-disabled GitHub repository. This supply chain attack demonstrates considerable sophistication and multi-year planning, likely indicative of state-sponsored activity.
A deeper analysis of the backdoor revealed that specific remote attackers can send arbitrary payloads through an SSH certificate, allowing them to execute commands and gain control over the victim machine. This backdoor poses a significant risk to machines with vulnerable XZ Utils packages exposed to the internet.
The accidental discovery of the backdoor by Freund highlights the severity of this supply chain attack, which could have led to a major security incident if integrated into stable releases of Linux distributions. This incident underscores the importance of adopting tools and processes to identify tampering and malicious features in both open-source and commercial software.