The security problem with XZ Utils

The security alert with XZ Utils

On Friday, March 29, 2024, the Linux community was shocked by an urgent notice issued by Red Hat (IBM). In this post we explain what exactly the security problem is with XZ Utils, which Linux distributions are affected and how to solve it.

The xz utils library on Linux is a set of data compression and decompression utilities that we can find in almost all Linux distributions. It is mainly used for compressing large files into formats that take up less space.

The security problem with XZ Utils

The security report, which received a score of 10.0 (Most Severe), affects versions 5.6.0 and 5.6.1. The first was released on February 24 and the second on March 9. According to the Red Hat report:

Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which then used to modify specific functions in the liblzma code

This results in a modified liblzma library that can be used by any software linked to this library, intercepting and modifying data interaction with this library.

The malicious code, introduced in one of the project's GitHub repositories, was added by a user identified as Jia Tan. Its specific function is to interfere with the sshd daemon process for SSH (Secure Shell) through systemd, and eventually make it easier for cybercriminals to break sshd authentication. and gain unauthorized access to the system remotely.

All repositories linked to the so-called Tukani Project (of which Jia Tan participated) were deregistered by GitHub, although the original maintainer denied any involvement in the issue.

The affected distributions

For the most part, those affected are distributions in the testing or rolling release phase, although all of them have already released security updates.

  • Fedora 40, Fedora 41 and Fedora Rawhide.
  • Kali Linux updated between March 26 and 29.
  • openSUSE Tumbleweed and openSUSE MicroOS updated between March 7 and March 28.
  • Debian Testing, Unstable and Experimental.

In the case of Ubuntu 24.04, the affected packages were proposed to be added but had not been installed.

Disclaimer

Lasse Collins, Tukaani project maintainer, responsible for the library, made the following clarifications:

  1. The git repository git.tukaani.org is still active.
  2. Only packages signed by Jia Tan are affected.
  3. Since GitHub not only moved Jia Tan's repository but also everything related to the library including the website, it is possible that from now on the project will continue with the domain tukaani.org.

The discovery

The person who first detected the problem was a researcher linked to Microsoft named Andrés Freund, whom He was struck by Debian Sid's excessive CPU consumption when logging in via SSH.  Andrés is of the opinion that Jia Tan is responsible given the dissemination of his patches on different mailing lists.

what we can learn

In this case, the advantages of free and open source software worked in our favor. A researcher detected the problem and it was quickly resolved. But, before congratulating ourselves, let's think:

  • For security expert Thadeus Grugq behind this is the structure of a country. If the problem was not detected, the attackers would have had access to most of the Linux distributions connected to the Internet.
  • According to crypto specialist Fillippo Valsorda, this might be the best-executed attack we've seen described in the open, and it's a nightmare scenario: malicious, well done, and passing all checks on a widely used library.

The origin of the problem is in this message posted in 2022 by the original maintainer of the project

I haven't lost interest, but my ability to care has been quite limited, mainly due to long-term mental health issues, but also due to a few other things. I've recently worked with Jia Tan at XZ Utils and maybe I'll have a bigger role in the future, we'll see.

It's also good to keep in mind that this is an unpaid hobby project.

In any case, I assure you that I know the problem too well that not much progress has been made. The idea of ​​finding new maintainers has also been around for a long time, as the current situation is obviously bad and sad for the project.

This is not the first time we have had problems in the world of free software becausee large distributions use components developed by underpaid and often exhausted volunteers who do what they can in their free time And, it seems that computer criminals have decided to take advantage of them


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.