Upstream Xz/Liblzma Backdoor’s Allowance To Attackers To Knock Out SSH Servers

A stunning discovery has revealed a critical security flaw in the xz compression software. To be honest, it is its liblzma component. The flaw has been discovered for hacking SSH server security.

Xz Utils is a utility that appears practically everywhere in Linux.  Simply put, all Linux-compatible computers aid in data compression without loss of information.

It is necessary for reducing data or restoring it to its initial form during a variety of processes. Xz Utils is also compatible with the old.lzma format. This way, it makes it much more helpful.

The problem was discovered on Debian sid systems due to odd behavior. It involves increased CPU consumption during SSH logins and Valgrind reporting memory errors. The root cause of the problem was traced back to a backdoor in the upstream xz repository.

Discovery Of The Backdoor

The study, led by security specialist Andres Freund, discovered that “the backdoor was not only included in Debian's package but also in the upstream xz tarballs for versions 5.6.0 and 5.6.1.”

This malicious code was cleverly buried within the disseminated tarballs. There was no connection between the source code and tarballs that were available in the storage facility. As a result, it becomes very nasty.

The backdoor introduces an encrypted script into the build process. Later on, it alters the Makefile to run a payload concealed among seemingly harmless test files.

One of the interesting things is that this payload can alter the behavior of the SSH server. Ultimately, it delays SSH logins and potentially allows illicit access.

Scope And Impact

The vulnerability is expressly targeted at x86-64 Linux systems. In reality, it was produced with GCC and the GNU linker. After some time,  it appears to avoid discovery and activate only under specific situations. These situations are - the Debian or RPM package creation process.

This focused approach indicates a thorough awareness of Linux distribution build procedures. Apart from this, it is also interconnected with a clear desire to attack these systems unnoticed.

Particularly, the backdoor does not directly damage the OpenSSH package. But rather exploits a dependency chain. In which a subsystem is patched into openSSH by multiple Linux distributions. In reality, it relies on the corrupted liblzma.

This secondary attack vector shows the inherent interdependence of current software ecosystems. Along with this, it has also the potential for a single vulnerability to have a wider impact.

According to the Red Hat study, “this backdoor exists exclusively in the most recent branch of xz (versions 5.6 and 5.6.1). People using versions 5.4 and older should be alright.”

"Current investigation shows that the packages are only available in Fedora 40 and Fedora Rawhide within the Red Hat community ecosystem, No versions of Red Hat Enterprise Linux (RHEL) are affected.”

Response And Mitigation

The revelation of this vulnerability spurred the security community to take swift action.

Red Hat has assigned the issue CVE-2024-3094. The matter of joy is that the work is underway to fix impacted systems and prevent future exploitation. System administrators can also use a detection script to discover possibly susceptible installations.

There can be observed The severity of the vulnerability and the risk of unlawful access to affected systems. So, it requires the users and administrators to upgrade their installations as soon as feasible.

The finding of this backdoor serves as a sharp reminder of the continuous dangers to software security. Besides, it indicates the importance of remaining vigilant while monitoring and safeguarding vital infrastructure.

The identification of a backdoor in the widely used xz compressing program. And it highlights software security's ongoing issues.

Attackers develop more sophisticated infiltration tactics. So,  the security industry must stay diligent in finding and addressing vulnerabilities.