About me My standards Book Blog Video Blog
Menu
About me Kontakt

What's up with the backdoor in XZ - an extremely simple explanation (video, 5m)

open-source security hacking Linux Vulnerability backdoor XZ compression software Attack

In recent days, the open source world has been in a state of panic. An attack targeting the XZ compression tool was so sophisticated and well-planned that it compromised several Linux distributions including Debian, Kali, and OpenSUSE. Luckily, TempleOS remained unaffected, which indicates this was one of the most well-executed supply chain attacks in history. Thanks to a secret backdoor, this attack gave malicious actors unfettered access to execute code on victims' machines, making the situation exceedingly serious. This isn't just an ordinary vulnerability—it's a threat level midnight 10.0 critical issue on the CVE Richter scale, even higher than notorious bugs like Heartbleed and Log4Shell. In today’s video, viewers learn exactly how the XZ backdoor operates and the incredible story behind its accidental discovery.

Toggle timeline summary

  • 00:00 Introduction to the panic in the open source community due to a sophisticated attack.
  • 00:03 Details on the attack affecting the XZ compression tool and various Linux distros.
  • 00:13 Praise for TempleOS being unaffected and the severity of the supply chain attack.
  • 00:27 Comparison of the threat level to other well-known vulnerabilities.
  • 00:38 Teaser to learn about the XZ backdoor and its accidental discovery.
  • 00:51 Advice to upgrade if using affected Linux distros, highlighting narrow impact.
  • 01:06 Deep dive into the XZUtils tool and its role in compression for Linux.
  • 01:27 Explanation of how the backdoor operates within the libLZMA library.
  • 01:40 Discovery of malicious code hidden in the tarballs of the library.
  • 02:17 Insights into the obfuscation techniques used by the attacker.
  • 02:31 Andres Freund's crucial role in discovering the anomaly.
  • 02:59 Speculation about the identity of the attacker, linking it to contributors.
  • 03:31 Analogy comparing the situation to a landlord and a tenant with unauthorized surveillance.
  • 04:12 Final thoughts on the potential intelligence behind the attack.
  • 04:30 Conclusion and thanks for watching, with a humorous recommendation.

Transcription

Over the last few days, the open source world has been in panic mode. A highly sophisticated and carefully planned attack, affecting the XZ compression tool, was shipped to production and has compromised Linux distros like Debian, Kali, OpenSUSA, and others. Thank God, TempleOS is unaffected though, and it's quite possibly one of the most well-executed supply chain attacks of all time, and gives some random dude unfettered access to execute code on your machine via a secret backdoor. This is not your everyday security vulnerability. It's a threat level midnight 10.0 critical issue on the CVE Richter scale, even higher than famous bugs like Heartbleed, Log4Shell, and Shellshock. In today's video, you'll learn exactly how the XZ backdoor works, and the incredible story of how it was discovered by accident. It is April 1st, 2024, and you're watching The Code Report. Unfortunately, this is not an April Fool's video. If you happen to be using one of the Linux distros listed here, you'll want to upgrade immediately. Luckily, it only affects a very narrow set of distros, most of which are unstable builds, but that's only because this backdoor was discovered by pure luck early on. More on that in just a second. Let's first take a deep dive into this backdoor. XZUtils is a tool for compressing and decompressing streams based on the Lempel Ziv Markov Chain Algorithm, or LZMA. It contains a command line tool that's installed on most Linux distros by default, which you can use right now with the XZ command, but also contains an API library called libLZMA, and many other pieces of software depend on this library to implement compression, one of which is SSHD, or Secure Shell Daemon, a tool that listens to SSH connections, like when you connect your local machine to the terminal on a cloud server. Now here's where the backdoor comes in, but keep in mind, researchers are still figuring out exactly how this thing works. Malicious code was discovered in the tarballs of libLZMA, which is the thing that most people actually install. That malicious code is not present in the source code, though. It uses a series of obfuscations to hide the malicious code, then at build time, it injects a pre-built object disguised as a test file that lives in the source code. It modifies specific parts of the LZMA code, which ultimately allows the attacker to intercept and modify data that interacts with this library. Researchers have also discovered that any payload sent to the backdoor must be signed by the attacker's private key. In other words, the attacker is the only one who can send a payload to the backdoor, making it more difficult to test and monitor. And the attacker went to great lengths to obfuscate the code like it contains no ASCII characters, and instead has a built-in state machine to recognize important strings. Now because the vast majority of servers that power the internet are Linux-based, this backdoor could have been a major disaster. Luckily though, a hero software engineer named Andres Freund was using the unstable branch of Debian to benchmark Postgres. He noticed something weird that most people would overlook. SSH logins were using up more CPU resources than normal. Initially he thought it was an issue in Debian directly, but after some investigation, discovered it was actually upstream in XE utils. And that's really bad because so many things depend on this tool. In German, his last name translates to Freund, which is fitting because he single-handedly helped the world avoid a multi-billion dollar disaster. But whodunit, who's the bad guy here? At this point it's unclear. The libLZMA project is maintained by Lassie Collin. However, the malicious tarballs are signed by Jia Tan, a contributor to the project. This individual has been a trusted contributor for the last few years, but clearly they've been playing the long game. They spent years building up trust before trying the backdoor, and nobody even noticed when they made their move. I say they because we don't know if this is an individual or a penetration attempt from a rogue state like Russia, North Korea, or the United States. Here's a non-technical analogy. Imagine there's a landlord, we'll call him Lassie Collin, who manages a popular apartment building. It's a lot of work, but this young enthusiastic guy has been super helpful over the last couple years, adding all sorts of upgrades and renovations. Let's call him Jia Tan. He does great work, but he's also been secretly installing cameras in the bathrooms, which only he can access from the internet with his password. Now he would have gotten away with it too if it weren't for a pesky tenant named Andres, who happened to notice that his electricity bill was just a little bit higher than usual. He started looking behind the walls and found some unexpected wires that led right to the unauthorized cameras. At this point we don't know the true identity of the hacker, but whoever did this was looking to cast a very wide net, and because it's protected by a secret key, can only be exploited by one party. XZ was a sitting duck because it's extremely popular, while also being very boring with a single maintainer. Whoever's behind this is either an extremely intelligent psychopath, or more likely a group of state-sponsored dimension-hopping lizard people hellbent on world domination, and that's why the only distro you should use is TempleOS. This has been The Code Report. Thanks for watching, and I will see you in the next one.

1245437
https://youtu.be/bS9em7Bg0iU Published at 2024-04-05