After the discovery of a backdoor in the xz tools, which are included in many open source platforms, further details became known today, Holy Saturday. The backdoor is an opportunity for the attackers to execute their own code on the target systems, which they have previously cleverly hidden. Writing a network scanner to detect the backdoor doesn’t seem possible at the moment.
Advertisement
Clever backdoor executes malicious code
In one Discussion thread on the social media platform BlueSky security expert and cryptographer Filippo Valsorda analyzes the backdoor. This is remarkably inventively designed and uses an RSA key as a transport medium for the malicious code. When a new SSH connection is established to a server with Trojanized xz libraries, it is transferred during the key exchange, checked for plausibility and finally decrypted and executed.
This means that although attackers can execute code without access data, security experts probably cannot write a network scanner like they would for other security holes. They simply lack the key material from the backdoor authors: As soon as the backdoor detects an invalid signature, it stops working and continues executing normal OpenSSH code. So checking for back doors can only done locally. Also one Yara rule The signature for the backdoor is now available.
Project takeover with psychological tricks
The attack was apparently planned well in advance. The attacker “Jia Tan” created his Github account in 2021 and began focusing on the xz project in 2022. With the help of several accomplices or fake accounts that put psychological pressure on the main developer, he not only gained control over the project, but also pressured Linux distributions to adopt the versions of the packages prepared by him into their systems as quickly as possible. That’s how he is with a Fedora author presented and wanted to convince them to include xz 5.6.x in the rpm-based distribution because of “great new features”.
Meanwhile, an accomplice with the pseudonym “Hans Jansen” left Cleaning the handles on the Debian project and asked for the package to be updated. His excuse: The new version fixes a problem with the Valgrind programming toolbox – which only arose when the back door was installed. In comments, pseudonyms like “krygorin4545” and “misoeater91” praised the alleged bug fix, presumably fake accounts to create the mood. The Debian project decided to include the backdoored xz version in the unstable “Sid” version.
Affected distributions
It has been there since Thursday evening updated packages for OpenSUSE “Tumbleweed” – this rolling release version of OpenSUSE without fixed versions also contained a holey xz package. The backdoor didn’t make it into stable Debian or Ubuntu versions, but it did make it into Debian “testing” and “unstable”. We had already mentioned other affected Linux variants in our first report.
The macOS package manager Homebrew, on the other hand, is not directly affected. While Homebrew includes a backdoored version of liblzma, the backdoor is only enabled on deb- and rpm-based distributions as part of the package creation process, one of the developers writes on Github.
In addition, liblzma must be loaded by OpenSSH, even though this software does not actually use the library. However, the backdoor can still end up in OpenSSH via indirect dependencies. For example Many distributions patch OpenSSHto make it support systemd-notify. The systemd library libsystemd in turn uses liblzma, so that the malicious code is loaded via this indirection.
In order for the backdoor to be executed, other prerequisites must be met in addition to the valid signature:
- The environment variable TERM – usually an identifier for an interactive terminal session – must not be set,
- The target process must be named /usr/sbin/sshd,
- neither the environment variables LD_DEBUG nor LD_PROFILE are set,
- a language is specified using the LANG environment variable
- no debugging session using rr or gdb takes place.
If one of the prerequisites does not apply, the backdoor refuses to work.
Publish gaps: yes or no?
Meanwhile, on the oss-security mailing list (on which the backdoor was exposed by its discoverer), there was a lively discussion among high-ranking security experts about the pros and cons of embargoes on security gaps. While Marc Deslauriers from Canonical defended the usual communication blocks at 0days, Tavis Ormandy from Google spoke out in favor of radical openness: Asked slightly provocatively by Deslauriers whether he supported the immediate publication of Chrome security holes, Ormandy wrote: “Yes! If someone has knowledge about any Software with backdoors or [..] If you have an active zero-day exploit, I advise you to – please – publish this knowledge.”
The discoverer, Andre’s friend, stated that he only discovered the conspiracy due to “a series of coincidences”: he observed some SSH processes with surprisingly high resource consumption, remembered the alleged Valgrind bug, and put two and two together.
The project manager of the xz project, Lasse Collin, has now also taken a self-imposed internet break reported to speak. The developer has retracted some of the changes Jia Tan made to the project infrastructure and clarified that only he has access to the project data under the domain “tukaani.org”. The malicious Tan had seized greater control of the project by transferring the Git repositories to Github. The project and developers Tan and Collin’s Github accounts are currently suspended.
Calls for more support for open source projects are now getting louder. The developer of the Python network library Twisted wrote on Mastodon that he really hopes to avoid the common practice of having his “entire goddamn product rest on the shoulders of an overworked person who is slowly having a nervous breakdown without supporting them in any way financially or structurally.” would now be put to the test across the entire industry.
Who Hans Jansen, Jia Tan and their accomplices are is still uncertain. According to some experts, the complexity and sophistication of the attack suggests that it was a state-directed attack. However, details are still unclear – the hunt for the perpetrators has begun.
(cku)