CVE-2024-3094: Why the xz-utils backdoor is more than a technical issue
Despite the Easter holidays, a lot of incredible work was done over the weekend by many researchers analysing the details of the xz-utils backdoor.
Some examples are:
- xz-utils backdoor situation (CVE-2024-3094) (github.com)
Most comprehensive analysis of the backdoor and it’s history of origin known to me. - Everything I know about the XZ backdoor (boehs.org)
Analysis of the attackers’ tactics for introducing the backdoor - https://github.com/amlweems/xzbot
Patches the public key necessary for activation of the backdoor for further analysis and provides a honeypot to analyze attempts to exploit the vulnerability - @filippo.abyssdomain.expert on Bluesky (bsky.app)
Further analysis of the payload
As the situation unfolds, it is becoming clear that this was not just one of the most sophisticated technical (perhaps the most sophisticated) attempts to introduce a backdoor into open source software.
Besides the focus on the technical aspects of the attack, It’s equally important to emphasize that this attempt was an extremely well-crafted piece of social engineering.
So, let’s learn how the attackers were able to successfully take over an open-source project in order to identify what’s necessary to protect our software against such an attack in future.
The timeline is based on the great analysis in Everything I know about the XZ backdoor (boehs.org).
Disclaimer: I’m describing the steps from the attacker’s perspective for educational purposes in order to prevent such attacks to be successful in future. Using these steps to manipulate people is unethical and can lead to criminal prosecution.
- Find a widely used OSS package that is maintained by a single person as a hobby project but is no longer regularly updated.
- Setup your malicious account but be patient. Don’t misuse it right away to the full extent but start with smaller changes, also in other projects than your target project. Build up credibility for your account.
- The following pull request for libarchive is from November 2021. It was not considered suspicious at the time, and merged into the project, but is highly suspicious since 29.03.2024 (the date the xz-utils backdoor was discovered), as it replaces calls to safe_fprintf with calls to the unsafe fprintf function:
Added error text to warning when untaring with bsdtar by JiaT75 · Pull Request #1609 · libarchive/libarchive (github.com)
- The following pull request for libarchive is from November 2021. It was not considered suspicious at the time, and merged into the project, but is highly suspicious since 29.03.2024 (the date the xz-utils backdoor was discovered), as it replaces calls to safe_fprintf with calls to the unsafe fprintf function:
- Start contributing non-suspicious changes to the package you target and support the package maintainer to handle the workload.
- Put subtle pressure on the maintainer via the package’s mailing list, using several email accounts imitating different persons. Ask why changes are not being made more quickly, and suggest that someone else should take over maintenance of the package.
Make sure to emphasise that you understand the maintainer’s limitations, but that it’s only for the good of the widely used package if he/she steps down. - Surprise, surprise – a potential maintainer candidate with established credibility is already available and ready to increase his or her privileges by being promoted to the maintainer role of the package.
- After some time and over multiple commits implement the backdoor – but not directly in the code. Instead use obfuscated binary test files, which are processed in the manipulated build process.
- Actively inform the large Linux distributions about the new version of your library via a third-party fake-mail-address (which built up minimal credibility the days before by creating updates for other small packages as well) and again try to influence the discussion by exerting pressure by using another mail address (= imitating another person), that the update is urgently needed, and blocks others work.