Everything I know about the XZ backdoor xz-utils backdoor situation

claude.iconA summary of the xz-utils backdoor incident is as follows

  • On March 29, 2024, a backdoor was discovered in the widely used compression software xz-utils.
  • The backdoor is believed to have been planted by Jia Tan, the maintainer of xz-utils, who became involved in the development of xz-utils about two years ago and gradually gained its trust.
  • The backdoor was very cleverly designed and was only triggered under certain conditions. The main targets were Linux systems using systemd and openssh.
  • Once the backdoor is triggered, it will be possible to bypass ssh authentication and enter the system. However, no other effects are known at this time.
  • Jia Tan also exhibited suspicious behavior, including using another account to strongly push a patch containing a backdoor.
  • The main maintainer, Lasse Collin, was on vacation and could not stop Jia Tanā€™s activities. Some have pointed out that the harsh conditions of open source developers are behind the situation.
  • Jia Tanā€™s GitHub account has been frozen and the backdoor removed, but other impacts are being investigated; numerous systems, including xz-utils, are being investigated and updated. As described above, this was an attack from within by a developer with whom we have established a long-term relationship of trust, and it is an incident that once again highlights the vulnerability of open source software.
nishio.icon - A "Linux system using systemd and openssh" is a very major infrastructure of the digital society, and a "backdoor" that makes it "hackable" is like a master key that can open any door, to use a non-engineer's analogy. - Fortunately, this time the workmanship was discovered before it was widely introduced, but some are concerned that there may be workmanship that has not yet been discovered due to successful hiding, based on the idea that "things that are easy to find will be found first. - Others believe that the behavior of using compressed software, which is seemingly unrelated to the system to be penetrated and difficult to attract attention, as a clue, and then using the personal circumstances of the main maintainer to commit the crime after long-term trust-building behavior, suggests the existence of a sponsor, such as the state or an antisocial organization, for example, rather than a spontaneous motivation of a single individual. Some people believe that this is the case. There is no clear evidence to determine whether this is [[conspiracy theory]] or correct speculation.

dmikurube Amazing. Three years of building trust and planting backdoors. Itā€™s like a thousand years of work to trick the demon tribe, but thereā€™s actually an incentive to do thisā€¦ [Everything I know about the XZ backdoor https://boehs.org/node/everything-i-know- about-the-xz-backdoor] dmikurube The fact that the maintenance of these things is on the shoulders of individuals, and the fact that it was almost entirely the work of individual craftsmanship that detected themā€¦ What can I say? dmikurube But the fact that there was one of these, I guess I should see that there are others. Ugh. dmikurube In the open source culture, there are many people who say ā€œIā€™m waiting for your contributionā€, but it is difficult to see examples like this. But when I see examples like this, itā€™s difficult. But as a maintainer, I canā€™t accept it so lightly. dmikurube (I am quite bitter about people who complain like that. Even if I am not the maintainer.) dmikurube In fact, with Embulk, if you can sneak in a little work, you can probably divert data from one company to another. Iā€™m watching it carefully. Many plug-ins are out of our jurisdiction, though. dmikurube I try not to carelessly use third-party actions like GitHib Actions. Itā€™s a good target to do something. And typically, Gradle pluginsā€¦ dmikurube ā€œIn April 2022, Jia Tan submits a patch via a mailing list. The patch is A new persona - Jigar Kumar enters, and begins pressuring for this patch to be merged.ā€ Wow. I guess those who pressure people to ā€œmerge thisā€ should be classified as the same. ā€œIn April 2022, Jia Tan submitted a patch via the mailing list. The patch is irrelevant, but the events that follow are irrelevant. A new persona - Jigar Kumar - comes in and starts pressuring us to merge this patch. Wow. I guess those who pressure you to ā€œmerge thisā€ should be judged the same way. dmikurube ā€œSoon after, Jigar Kumar begins pressuring Lasse Collin to add another In the fallout, we learn a little bit about mental health in open source. ā€œShortly thereafter, Jigar Kumar began pressuring Lasse Collin to add another maintainer to XZ. As a result, we can learn a bit about mental health in open sourceā€ Hmmmā€¦

izutorishima wow, they spent 3 years contributing to xz-utils to win their trust and then put a backdoor inā€¦ too egregious! ā€¦ I can only say that it was a coincidence that I found it, and if it had gone around to Ubuntu or something, Iā€™d be scared to log in to any public server that sshdā€™s out to without a password.

piro_or The colors.js debacle was about the developers themselves messing things up, not necessarily because it was open source, [WinGroove Incident WinGroove, but it is a story that only open source can tell, where the developer has gained trust through contributions and even commit privileges, and then becomes an attacker. piro_or WinGroove case, could it now be the subject of an investigation for unauthorized electromagnetic recording?

nishio Given the law of ā€œa fraud that is found is a fraud that is poorly covered upā€, you found a remote login backdoor in xz and dealt with it while you still can. Iā€™m glad you were able to do it. ā€¦, but itā€™s more likely that a similar backdoor was planted in something that isnā€™t known and is spreading.

Cryolite image

Cybercrime


This page is auto-translated from /nishio/xz-utils惐惃ć‚Æćƒ‰ć‚¢äŗ‹ä»¶ using DeepL. If you looks something interesting but the auto-translated English is not good enough to understand it, feel free to let me know at @nishio_en. Iā€™m very happy to spread my thought to non-Japanese readers.