Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

XZ Utils backdoor

From Wikipedia, the free encyclopedia
Malicious software backdoor on Linux

XZ Utils backdoor
Previous XZ logo contributed by Jia Tan
CVE identifierCVE-2024-3094
Date discoveredat or before 27 March 2024; 22 months ago (2024-03-27)[1][2]
Date of public disclosure29 March 2024; 22 months ago (2024-03-29)
Date patched29 March 2024; 22 months ago (2024-03-29)[a][3]
DiscovererAndres Freund
Affected softwarexz / liblzma library
Websitetukaani.org/xz-backdoor/

In February 2024, amaliciousbackdoor was introduced to the Linux build of thexz utility within theliblzma library in versions 5.6.0 and 5.6.1 by an account using the name "Jia Tan".[b][4] The backdoor gives an attacker who possesses a specificEd448 private keyremote code execution throughOpenSSH on the affected Linux system. The issue has been given theCommon Vulnerabilities and Exposures numberCVE-2024-3094 and has been assigned aCVSS score of 10.0, the highest possible score.[5]

While xz is commonly present in mostLinux distributions, at the time of discovery the backdoored version had not yet been widely deployed toproduction systems, but was present in development versions of major distributions.[6] The backdoor was discovered by the software developer Andres Freund, who announced his findings on 29 March 2024.[7]

Background

[edit]

Microsoft employee andPostgreSQL developer Andres Freund reported the backdoor after investigating aperformance regression inDebian Sid.[8] Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors inValgrind,[9] a memory debugging tool.[10] Freund reported his finding toOpenwall Project's open source security mailing list,[9] which brought it to the attention of various software vendors.[10] The attacker made efforts toobfuscate the code,[11] as the backdoor consists of multiple stages that act together.[12]

Once the compromised version is incorporated into the operating system, it alters the behavior ofOpenSSH'sSSH server daemon by abusing thesystemd library, allowing the attacker to gain administrator access.[12][10] According to the analysis byRed Hat, the backdoor can "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".[13]

A subsequent investigation found that the campaign to insert the backdoor into theXZ Utils project was a culmination of approximately three years of effort, between November 2021 and February 2024,[14] by a user going by the nameJia Tan and the nickname JiaT75 to gain access to a position of trust within the project. After a period of pressure on the founder and head maintainer to hand over the control of the project via apparentsock puppetry,Jia Tan gained the position of co-maintainer ofXZ Utils and was able to sign off on version 5.6.0, which introduced the backdoor, and version 5.6.1, which patched some anomalous behavior that could have been apparent during software testing of the operating system.[10]

Some of the suspected sock puppetry pseudonyms include accounts with usernames likeJigar Kumar,krygorin4545, andmisoeater91. It is suspected that the namesJia Tan, as well as the supposed code authorHans Jansen (for versions 5.6.0 and 5.6.1), are pseudonyms chosen by the participants of the campaign. Neither have any sort of visible public presence in software development beyond the short few years of the campaign.[15][16][17]

The backdoor was notable for its level of sophistication and for the fact that the perpetrator practiced a high level ofoperational security for a long period of time while working to attain a position of trust. American security researcherDave Aitel has suggested that it fits the pattern attributable toAPT29, anadvanced persistent threat actor believed to be working on behalf of theRussianForeign Intelligence Service (SVR).[14] Journalist Thomas Claburn suggested that it could be any state actor or a non-state actor with considerable resources.[18]

Mechanism

[edit]

The malicious code is known to be in 5.6.0 and 5.6.1 releases of the XZ Utils software package. Theexploit remains dormant unless a specific third-party patch of the SSH server is used. Under the right circumstances this interference could potentially enable a malicious actor to break sshdauthentication and gain unauthorized access to the entire systemremotely.[13] The malicious mechanism consists of two compressed test files that contain the malicious binary code. These files are available in thegit repository, but remain dormant unless extracted and injected into the program.[4] The code uses theglibcIFUNC mechanism to replace an existing function inOpenSSH calledRSA_public_decrypt with a malicious version. OpenSSH normally does not load liblzma, but a common third-partypatch used by several Linux distributions causes it to loadlibsystemd, which in turn loads lzma.[4] A modified version ofbuild-to-host.m4 was included in the release tar file uploaded onGitHub, which extracts a script that performs the actual injection intoliblzma. This modifiedm4 file was not present in the git repository; it was only available fromtar files released by the maintainer separate from git.[4] The script appears to perform the injection only when the system is being built on anx86-64 Linux system that uses glibc andGCC and is being built viadpkg orrpm.[4]

Response

[edit]

Remediation

[edit]

The US federalCybersecurity and Infrastructure Security Agency issued a security advisory recommending that the affected devices should roll back to a previous uncompromised version.[19] Linux software vendors, including Red Hat,SUSE, andDebian, reverted the affected packages to older versions.[13][20][21]GitHub disabled the mirrors for the xz repository before subsequently restoring them.[22]

Canonical postponed thebeta release ofUbuntu 24.04 LTS and itsflavours by a week and opted for a complete binary rebuild of all the distribution's packages.[23] Although the stable version of Ubuntu was not affected,upstream versions were. This precautionary measure was taken because Canonical could not guarantee by the original release deadline that the discovered backdoor did not affect additional packages during compilation.[24]

In August 2025, Binarly researchers found several Debian Docker images on Docker Hub that still have the XZ Utils backdoor.[25][26][27] The Debian development team declined to remove the affected images, stating that they were development builds that should not be used on real systems in place of newer, clean container versions.[26][25]

Broader response

[edit]

Following the incident, theOpen Source Security Foundation (OpenSSF) andOpenJS Foundation issued a joint warning that the XZ Utils backdoor "may not be an isolated incident", reporting that similar social engineering attempts had targeted JavaScript projects hosted by OpenJS.[28] The foundations warned maintainers to watch for "friendly yet aggressive and persistent pursuit" by unknown community members seeking maintainer status.[29]

Computer scientistAlex Stamos opined that "this could have been the most widespread and effective backdoor ever planted in any software product", noting that had the backdoor remained undetected, it would have "given its creators amaster key to any of the hundreds of millions of computers around the world that run SSH".[30] In addition, the incident also started a discussion regarding the viability of having critical pieces ofcyberinfrastructure depend on unpaid volunteers.[31]

Notes

[edit]
  1. ^The vulnerability was effectively patched within hours of disclosure by reverting to a previous version known to be safe.
  2. ^Whether Jia Tan is a group of people, a real name of a single person or a pseudonym of a single person is not known publicly.

References

[edit]
  1. ^Freire, Rodrigo (30 April 2024)."Understanding Red Hat's response to the XZ security incident".redhat.com. Retrieved14 August 2025.
  2. ^"Oxide and Friends 4/8/2024 -- Discovering the XZ Backdoor with Andres Freund"(video).youtube.com. Oxide Computer Company. 14 August 2025.
  3. ^Collin, Lasse."Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094)".GitHub. Retrieved19 June 2024.
  4. ^abcdeJames, Sam."xz-utils backdoor situation (CVE-2024-3094)".GitHub.Archived from the original on 2 April 2024. Retrieved2 April 2024.
  5. ^Gatlan, Sergiu."Red Hat warns of backdoor in XZ tools used by most Linux distros".BleepingComputer.Archived from the original on 29 March 2024. Retrieved29 March 2024.
  6. ^"CVE-2024-3094".National Vulnerability Database. NIST.Archived from the original on 2 April 2024. Retrieved2 April 2024.
  7. ^Corbet, Jonathan."A backdoor in xz".LWN.Archived from the original on 1 April 2024. Retrieved2 April 2024.
  8. ^Zorz, Zeljka (29 March 2024)."Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094)".Help Net Security.Archived from the original on 29 March 2024. Retrieved29 March 2024.
  9. ^abFreund, Andres (29 March 2024)."oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise".www.openwall.com.Archived from the original on 1 April 2024. Retrieved14 August 2025.
  10. ^abcdGoodin, Dan (1 April 2024)."What we know about the xz Utils backdoor that almost infected the world".Ars Technica.Archived from the original on 1 April 2024. Retrieved1 April 2024.
  11. ^O'Donnell-Welch, Lindsey (29 March 2024)."Red Hat, CISA Warn of XZ Utils Backdoor".Decipher.Archived from the original on 29 March 2024. Retrieved29 March 2024.
  12. ^abClaburn, Thomas (29 March 2024)."Malicious backdoor spotted in Linux compression library xz".The Register.Archived from the original on 1 April 2024. Retrieved14 August 2025.
  13. ^abc"Urgent security alert for Fedora 41 and Fedora Rawhide users". Red Hat. 29 March 2024.Archived from the original on 29 March 2024. Retrieved14 August 2025.
  14. ^abGreenberg, Andy (3 April 2024)."The Mystery of 'Jia Tan,' the XZ Backdoor Mastermind".Wired.Archived from the original on 3 April 2024. Retrieved3 April 2024.
  15. ^Tumbleson, Connor (31 March 2024)."Watching xz unfold from afar".connortumbleson.com.Archived from the original on 6 April 2024. Retrieved14 August 2025.
  16. ^"Timeline summary of the backdoor attack on XZ Utils".gigazine.net. 3 April 2024.Archived from the original on 10 April 2024. Retrieved14 August 2025.
  17. ^Cox, Russ (1 April 2024)."Timeline of the xz open source attack".research.swtch.com. Retrieved14 August 2025.
  18. ^Claburn, Thomas."Malicious xz backdoor reveals fragility of open source".The Register.Archived from the original on 8 April 2024. Retrieved8 April 2024.
  19. ^"Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094". CISA. 29 March 2024.Archived from the original on 29 March 2024. Retrieved29 March 2024.
  20. ^Meissner, Marcus (27 December 2024)."SUSE addresses supply chain attack against xz compression library".SUSE Communities. SUSE.Archived from the original on 29 March 2024. Retrieved14 August 2025.
  21. ^Salvatore, Bonaccorso (29 March 2024)."[SECURITY] [DSA 5649-1] xz-utils security update".debian-security-announce (Mailing list).Archived from the original on 29 March 2024. Retrieved29 March 2024.
  22. ^Choudhary, Shrishti (30 March 2024)."Important information regarding xz-utils (CVE-2024-3094)".about.gitlab.com.Archived from the original on 1 April 2024. Retrieved14 August 2025.
  23. ^"Noble Numbat Beta delayed (xz/liblzma security update)".Ubuntu Community Hub. 3 April 2024.Archived from the original on 10 April 2024. Retrieved10 April 2024.
  24. ^Sneddon, Joey (3 April 2024)."Ubuntu 24.04 Beta Delayed Due to Security Issue".OMG! Ubuntu.Archived from the original on 8 April 2024. Retrieved10 April 2024.
  25. ^abRudra, Sourav (14 August 2025)."Security Researchers Find XZ Utils Backdoored Debian Images on Docker Hub".news.itsfoss.com. Retrieved14 August 2025.
  26. ^abHaruyama, Takahiro (6 August 2025)."Docker Hub Debian image contains CVE-2024-3094 backdoor".github.com. Retrieved14 August 2025.
  27. ^"Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images".binarly.io. 12 August 2025. Retrieved14 August 2025.
  28. ^Arasaratnam, Omkhar; Bender Ginn, Robin (15 April 2024)."Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects".OpenSSF. Retrieved1 January 2026.
  29. ^Kovacs, Eduard (15 April 2024)."Researchers stop 'credible takeover attempt' similar to XZ Utils backdoor incident".The Record. Retrieved1 January 2026.
  30. ^Roose, Kevin (3 April 2024)."Did One Guy Just Stop a Huge Cyberattack?".The New York Times.Archived from the original on 4 April 2024. Retrieved4 April 2024.
  31. ^Khalid, Amrita (2 April 2024)."How one volunteer stopped a backdoor from exposing Linux systems worldwide".The Verge.Archived from the original on 4 April 2024. Retrieved4 April 2024.

External links

[edit]
Portal:
Hacking in the 2020s
← 2010s
2030s →
Major incidents
2020
2021
2022
2023
2024
2025
2026
Groups
Individuals
Majorvulnerabilities
publiclydisclosed
Malware
2020
2021
2022
2023
2024
2025
Retrieved from "https://en.wikipedia.org/w/index.php?title=XZ_Utils_backdoor&oldid=1334681698"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2026 Movatter.jp