A vulnerability carefully built into the widely used xz Ultils library was about to be expanded to popular Linux distributions. Thanks to a vigilant developer and a bit of luck, a bloodbath was avoided.

The open source world is shocked by a vulnerability that came to light last Friday. CVE-2024-3094 is a backdoor injected into xz Utils, a library ubiquitous in Unix-based operating systems. According to security analysts, this vulnerability could have potentially affected millions of Linux devices and was even larger than the infamous SolarWinds hack of 2020.

The vulnerability was discovered by Andre’s friend, a developer on Microsoft’s payroll. Friend came across this by chance: he was troubleshooting performance issues with the SSH protocol in Debian. He discovered that the problems were due to recent updates to xz Utils and subsequently alerted the open source community to an intentional backdoor into the library.

Barely

This news came just in time. CVE-2024-3094 had already found its way into a handful of Linux distributions, including Fedora, Kali, openSUSE, and test builds of Debian. The attackers’ ultimate goal was to spread the vulnerability across popular Linux distributions from Red Hat, Debian and Ubuntu.

The backdoor itself is technically complex, so the attackers knew exactly what they were doing. It uses an unknown feature in xz that is only enabled when the library is loaded on an affected distribution. The SSH verification code is modified to allow attackers to obtain the keys for the device on which the library is loaded.

Against the current

It is not known who was behind the attack, but one of the key figures is a developer who operated under the pseudonym Jia Tan. In any case, the perpetrator or perpetrators were patient: Jia Tan made his voice heard for the first time in 2021. As of 2023, Tan had xz Utils in his sights. Together with accomplice accounts, he personally targeted the library administrator and accused him of releasing too few updates for xz Utils.

Tan then began making contributions himself and became increasingly involved in the management of xz Utils. In February, he finally planted the malicious seed in the library and asked developers of Red Hat, Debian, Ubuntu and other distributions to deploy this update to their operating systems.

So the plan was to first work their way up and take control of xz Utils, then push users of popular Linux distributions down. Had this plan succeeded, the consequences would have been catastrophic.