What’s Going on with XZ Utils?
xz Utils recently saw a new security vulnerability in tarballs, which are essentially multiple files compressed into a single archive file to save space. This vulnerability, known as CVE-2024-3094, has been known to be present in versions of xz Utils since version 5.6.0. Malicious code is contained in these tarballs and is added via a complex process. This is considered a Critical level vulnerability and is taken very seriously by the security community.
What is xz Utils
This software is a series of Command-Line Interface (CLI) tools used to compress data, commonly into tarballs on Linux (or GNU Linux) Systems as well as other Unix-based operating Systems (OS). xz Utils is commonly preset on various GNU-Linux Distros, including Red Hat.
How the attack works
Through what NIST describes as “a series of complex obfuscations,” a prebuilt object file is extracted from a test file originating in xz Utils‘ source code. This file’s data is used to alter the functions of the software’s code. What happens next is that the software can now intercept and alter information with which it interacts.
Why Does it Matter?
CVE-2024-3094 is notable, perhaps famous, for being at the center of a developing story, one about an attack that shook the world of UNIX-like systems. What CVE-2024-3094 represents is a backdoor, essentially an access point created in a piece of software usually planted by an attacker who gains access to said software’s source code.
This backdoor had an impact and one that very nearly could have carried terrible security consequences for countless services and providers. The attacker’s goal was to propogate this backdoor to future builds of the Debian and Red Hat distros as part of a plan suspected to be concocted by hostile international entities. It was a plan that nearly succeeded if not for the intervention of circumstance and a lone inquisitive developer.
What is the Story of the XZ Outbreak?
That developer, Andres Freund, was performing some testing on a recent build of a Debian system when he noticed some inconsistencies. A software protocol used for remotely logging into devices over the internet was displaying a latency or processing time longer than he expect. Over time Freund discovered that a recent update to xz was to blame for this increased latency. These updates were traced to a user on GitHub, JiaT75 (assumed name Jia Tan), who inserted the backdoor into two test files as part of the source code.
As the attack was foiled, it is unknown just what Jia Tan was attempting with this move, but it is believed that they aimed to execute some arbitrary code (perhaps malware) for some unknown purpose. Jia Tan may or may not be a constructed identity, but their influence is real and covers not just xz Utils but other pieces of open-source software as well. There are many analyses by security experts on who this individual may have been and just what they were aiming to accomplish.
Learn More
You can learn more about Vulnerabilities from a reputable source at NIST’s National Vulnerability Database (NVD), a registry of all the various kinds of security vulnerabilities as yet discovered where one can find each categorized, ranked, and explained in detail.
Another source where one may find information about security threats, attacks, or best practices is OWASP’s website, where one may learn extensively about various
security threats and even get involved with their activities and participate in learning.
