Purpose
The recent backdoor discovered in xz is pretty interesting. I wanted to have this post here not to re-explain what is going on with the attack, but rather to catalog the history of how it was discovered and decomposed by sharing links to the folks who caught this. This is a testament to the OSS security community, but lots of luck was here that helped prevent this from becoming a horrible thing.
tl;dr
What happened was someone gained the trust of the developer for the xz compression utility for the last 3 years. Over that time, they made patches, both good and bad… including secretly adding a backdoor that impacted the OpenSSH daemon process, apparently thanks to systemd dependency list. They also included a function that used a known google bug to convince google to turn off their security tool on xz itself. The backdoor limited who could access it by using non-replayable cryptographic routines. Essentially, this was a long-con that got caught because of the performance impact it caused to ssh in the process.
Links
Discovery thread: This is the email that alerted everyone in the OSS world about the backdoor. Andres is a PostgreSQL developer who was debugging performance issues and did the initial analysis of the backdoor in xz.
Time line analysis:
- From Boehs.org, a history of the backdoor going back 3 years. (Some links below come from here)
- Russ Cox has a version too.
Backdoor Analysis: detailed low-level insight into the backdoor itself.
Bash script explained: A very good detailed analysis of the bash script itself.
libsystemd, xz and increasing vulnerabilities: A discussion on github about reducing the dependencies of systemd since it can become a mechanism used by threat actors on supply-chain attacks.
Social engineering a discussion on the social engineering side of this.
Google’s OSS Fuzzer: Mastodon discussion on how the threat actor introduce a know bug into xz that caused Google’s OSS fuzzer to fail, giving the threat actor cause to ask them to disable it for xz.
The landlock sabotage: “Landlock is an access-control system that enables any processes to securely restrict themselves and their future children.” This is the commit that sabotage landlock in xz even as it was attempting to add it.