Recently, a new backdoor (CVE-2024-3094) was uncovered within the build system of the widely utilized xz-utils ‘liblzma’ data compression library. This backdoor is purportedly aimed at the OpenSSH server but has the capability to affect any application that interacts with ‘systemd’, utilizes ‘OpenSSL’, and is accessible over the network. The complete extent and consequences of the backdoor remain unclear pending a thorough analysis of the injected malicious binary code.
Tectia SSH Client/Server by SSH Communication Security is not affected by XZ/liblzma
At SSH Communications Security, we want to clarify that our remote server and application access product, Tectia SSH Client/Server, remains unaffected by the liblzma vulnerability. As cybersecurity specialists, we prioritize risk mitigation and have deliberately minimized our reliance on external libraries. Any validated dependencies are included as part of our installation package.
How does the backdoor work?
The XZ/liblzma backdoor remains dormant until activated, operating as follows:
The Linux ‘systemd’ super-service application library, ‘libsystemd’, relies on the compromised ‘liblzma’ library. Many Linux server applications that utilize ‘libsystemd’ allow ‘systemd’ to monitor and manage execution, creating an indirect dependency on ‘liblzma’.
The backdoored ‘liblzma’ included an initialization routine that facilitated the injection of a backdoor into the server application when it is loaded into memory during startup.
The malicious code was distributed disguised as test vectors within ‘liblzma’ files and alterations to the ‘autoconf’ script used in the build process. These modified sources were included in the build processes of numerous Linux distributions.
How was the liblzma backdoor injected into the library?
It’s a stark reality that one of the maintainers of the library inserted malicious code into it. CVE-2024-3094 represents a vulnerability found in the open-source library XZ Utils, originating from malicious code inserted by one of its maintainers.
The adversary began contributing to the XZ project nearly two years ago. Gradually, they earned trust and credibility within the project, gaining expanded permissions for the repository. This progression led them to assume maintainer responsibilities and eventually acquire release-manager privileges.
How dangerous is the liblzma?
Ubuntu 24.04LTS was just a month away from being released with this backdoor, and other distributions were in a similar situation. Perhaps the most apt description is this: if left undiscovered, Linux servers would have been operating with a dormant threat waiting to be remotely activated. CVE-2024-3094 acts like a digital sleeper agent, awaiting a trigger to potentially unleash one of the most devastating cyberterrorism acts ever seen.
How was liblzma discovered?
Fortunately, this backdoor was detected early, ensuring the safety of most of the Linux user community. Much of the credit belongs to Andres Freund from Microsoft, who diligently investigated the slowdown in the PostgreSQL test lab and uncovered the liblzma backdoor.
Thank you, Andres, for your dedicated efforts! Your work deserves global acknowledgment for averting what could have been a worldwide disaster.
Open source is free but comes with a cost
Regarding the risks associated with voluntarily maintained projects becoming integral to larger ecosystems: Users of open-source software (OSS) projects benefit from the original author’s work, often without adequate compensation or support. This imbalance can lead to a significant support burden on maintainers, eventually wearing them down.
Bad actors volunteer to assist maintainers, possibly leveraging social pressure as a tactic. In return, they gain influence over the project, riding on the reputation of the original author and the established user base. The consequences are evident in hindsight.
Source: https://www.ssh.com/blog/a-recap-of-the-openssh-and-xz-liblzma-incident
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.
