DEV Community

Cover image for The Shocking Discovery of a Backdoor in XZ Utils: A Threat to Internet Systems
Gonçalo Alves
Gonçalo Alves

Posted on • Edited on

The Shocking Discovery of a Backdoor in XZ Utils: A Threat to Internet Systems

Introduction

A recent alarming discovery has shaken the cybersecurity community. A backdoor was found in XZ Utils, a widely-used compression tool known for its exceptional compression ratios. This backdoor, if left undetected, could have had catastrophic consequences for numerous Linux distributions, potentially compromising the security of countless systems that rely on XZ compression. In this article, we will delve into the details of this shocking revelation, its implications, and the steps to protect yourself from this threat.

Understanding the Backdoor

The backdoor in XZ Utils was first noticed by a developer at Microsoft who was troubleshooting SSH issues on a Debian Linux system. He observed that SSH logins were taking longer than usual, consuming excessive CPU cycles, and generating errors with a memory debugging tool. Through careful analysis, he traced the problem to recent updates made to XZ Utils, which turned out to be a malicious backdoor.

The Extent of the Backdoor

Initially, it was believed that the backdoor was limited to Debian's XZ package. However, further investigation revealed that the backdoor was present in the Upstream XZ repository. This meant that if left undetected, it could have made its way downstream into various Linux distributions, potentially impacting a significant portion of the internet. Due to XZ Utils being open-source software, the backdoor had to be meticulously concealed to avoid detection.

Uncovering the Backdoor

The backdoor was cleverly hidden within binary files in the test folder, rather than in the Upstream code or build tools used by XZ in G. Interestingly, the initial part of the backdoor was encrypted using the XZ Library itself, adding an extra layer of complexity to its analysis. The backdoor employed a chunk-based loading mechanism, where chunks of data were loaded and discarded repeatedly until the final stage was reached.

The Functionality of the Backdoor

Once the backdoor was fully loaded, it injected a binary object into the build process. This binary object, when reverse engineered, revealed that it installed an audit hook into the dynamic linker to resolve symbols and libraries not yet loaded. It then waited for RSA public decrypt PLT to be resolved, modifying its value to point to its own code. This allowed the backdoor to execute system-level remote code, potentially granting unauthorized access to compromised systems.

The Intricate Operation

The discovery of this backdoor shed light on an elaborate hacking operation that had been in progress for years. Multiple individuals seemed to have collaborated to infiltrate the XZ repository. Suspicious accounts made their presence known during this time, constantly criticizing the slow release schedule of XZ Utils. This operation involved subtle manipulation of the repository and the introduction of compromised versions of XZ into Debian's repositories.

Mitigating the Threat

To protect against this backdoor, it is essential to update your system to XZ version 5.6.0 or 5.6.1, if available. If a patched version is not yet accessible, consider downgrading to a version prior to these releases. Even if you are not using a red hat or Debian-based system, it is crucial to remain vigilant, as the full scope of this threat is still being investigated. Additional vulnerabilities may exist, given the extensive manipulation that occurred within the XZ repository.

Conclusion

The discovery of a backdoor in XZ Utils has sent shockwaves through the cybersecurity community. This incident serves as a reminder of the constant vigilance required to maintain the security of open-source software. By promptly updating systems and staying informed about potential threats, we can mitigate the risks posed by such advanced persistent threats. Let us remain proactive in safeguarding our systems and ensuring the integrity of the software we rely on.

Connect with me

If you like this article be sure to leave a comment. That will make my day!

If you want to read other stuff by me you can check out my personal blog.

If you want to connect with me you can send me a message on Twitter/X.

You can also check other stuff that I have going on here

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.