The Social Engineering of XZ
It sounds like one of those Hollywood scripts where an evil genius hacks into a core part of the Internet and inserts a backdoor. They can then listen to everyone’s secret communications without being detected. But, it’s not science fiction, as someone — “Jia Tan” — actually created a backdoor in SSH, and nearly got away with it. So, let’s investigate the most critical vulnerability since Heartbleed: the XZ backdoor.
The XZ vulnerability is a serious flaw that has been rated with a CVSS value of 10. This is the maximum level possible and requires that related systems should be urgently patched. Overall, the related backdoor in the XZ library seems to have been planted by Jia Tan (which with the nickname of JiaT75), and they managed to gain admin rights to the XZ GitHub by showcasing his/her talents:
Overall, Jia Tan is the person and/or group that inserted a backdoor into the library, and involved a social engineering attack on the code. It is likely that this attack involved many years of work. Many, too, have observed that this email looks like it has been generated by AI, and which perhaps points to state-actor activity. The target is Linux servers, and the vulnerability was spotted by a Microsoft employee (Andres Freund, a PostgreSQL developer) [here]:
Timeline
From 2005 to 2008, Lasse Collins and others created the .xz file format, and which uses LZMA compression. This becomes a core part of many Linux kernels. Over 2021 and 2022, Jia posts several patches for the zx-devel mailing list. A user named “Jigar Kumar” creates several posts of the mailing list, and asking why Jia’s patches had not been applied. Lasse responded to this in June 2022 with:
“I haven’t lost interest but my ability to care has been fairly limited mostly due to longterm mental health issues but also due to some other things. Recently I’ve worked off-list a bit with Jia Tan on XZ Utils and perhaps he will have a bigger role in the future, we’ll see. It’s also good to keep in mind that this is an unpaid hobby project.”
The first major commit of Jia’s updates from Lasse happened just after this posting, and with Jia defined as the author. Of which Jigar still complained of slow updates. Others, too, put pressure on Lasse, such as from Dennis Ens:
“I am sorry about your mental health issues, but its important to be aware of your own limits. I get that this is a hobby project for all contributors, but the community desires more. Why not pass on maintainership for XZ for C so you can give XZ for Java more attention? Or pass on XZ for Java to someone else to focus on XZ for C? Trying to maintain both means that neither are maintained well.”
At this point, Lasse reported that Jia needed to take a greater role in the project going forward, and where Jigar continued to push for Jia to have a greater role. After, the Lasse allowed Jia to become a maintainer of the repository. Neither Jigar nor Dennis appear anywhere on the Internet, and are likely to be fake IDs that pushed for Jia to get access. But Sept 2022, Jia was outlining the 5.4.0 release, and, by November 2022, Lasse outlined in the README that the project maintainers were Lasse Collin and Jia Tan.
The first sign of Jia on the GitHub commitments appeared in January 2024, and with the release of Version 5.4.1. In February 2024, integrate the back door code hidden in test files, and deploys as Version 5.6.0 as the xz-5.6.0.tar.gz distribution. The backdoored file — build-to-host.m4 — does not appear on the GitHub repository. By March 2024, Jia had built a new backdoor into Version 5.6.1 and pushed it out. On 28 March 2024, Andres Freund finds the backdoor, and RedHat assigns CVE-2024–3094.
Around February and March 2024, Jia committed two versions of 5.6.0 and 5.6.1, and which contained the backdoor code and then canvased the developers of Ubuntu, Red Hat, and Debian to integrate the new version with their operating systems. The ones that did integrate were [here]:
It’s a perfect 10
And, so, the majority of our digital world is not made up of Microsoft Windows, but of Linux. It powers most of our servers and is embedded into many of our smart devices. Now a new backdoor in XZ utils has been rated at the highest possible risk rating [here]:
The backdoor was discovered within the tarballs of zx (from Version 5.6.0 onwards), and was obfuscated so that it could avoid detection. This is then used to modify code within the liblzma library, and where it can intercept and modify data. One significant finding is that the OpenSSH daemon was affected by the backdoor, even though it did not directly link to liblzma.
Overall, the xz code allows for the creation of an XZ file and which integrates data streams and blocks, and supports a fast random access when reading. This is not supported within the lzma module, and which has to read all the previous blocks in a random access query. An example from here is:
>>> with xz.open('example.xz') as fin:
... fin.read(18)
... fin.stream_boundaries # 2 streams
... fin.block_boundaries # 4 blocks in first stream, 2 blocks in second stream
... fin.seek(1000)
... fin.read(31)
...
b'Hello, world! \xf0\x9f\x91\x8b'
[0, 2000]
[0, 500, 1000, 1500, 2000, 3000]
1000
b'\xe2\x9c\xa8 Random access is fast! \xf0\x9f\x9a\x80'Many of the related GitHub repositories for xz have been either taken offline or disabled [here]:
The serious of the vulnerability cannot be underlined enough, and where Anthony Weems managed to reverse engineer the backdoor and created a proof-of-concept exploit for the RCE (Remote Code Execution) [here]:
The related GitHub is here:
Under the right circumstances, an external actor could break sshd authentication, and gain full access to a system. This replaces the RSA_public_decrypt function in OpenSSH through a third party integration. Normally OpenSSH does not use liblzma, but the malicous code allows it to be integratied.
Conclusions
If you run a GitHub, and want others to join in, make sure you speak to them person over a video link, and check out their identity.
