While doing some tests, a Microsoft engineer discovered malicious code in software used in most Linux operating system distributions and may have saved the world from a massive problem capable of affecting systems across the entire planet simultaneously.
Andres Freund identified fMalicious code fragments hidden in two versions of an open-source data compression tool highly popular and used in almost all major Linux distributions. The backdoor in xz Utils was identified on March 29th, days before different distributions of the open source operating system update production versions of that OS to integrate the latest version of the xz Utils library.
How did you arrive at the discovery? Pure curiosity and impatience with a process that was taking longer than expected. How much longer? half a second. The tests that led to Andres Freund’s discovery were carried out on a beta version of Debian, with slower performance than expected when using encrypted connections.
O process started taking 0.8 seconds and consuming more CPU resources than usual and that was enough for the engineer to realize that something wasn’t right and want to find out why. And he found out. Identified fragments of malicious code in the utility package that allows leave a kind of door open (backdoor) for future attacks on systems that use itwith the potential to affect the entire Linux distribution chain, as it targets a widely used library in that ecosystem.
A more in-depth study of the discovery has already revealed that the Malicious code was being injected into this fundamental “piece” of several Linux distributions two years agoslowly and discreetly.
Open source software is the foundation of almost everything on the internet. They are the Linux systems and their software and libraries, often maintained by independent programmerswhich make the digital world move, especially in the universe of servers and internet infrastructures.
Tools as comprehensive as xz are often maintained by a small community or even a single person, as was apparently the case. The utility’s “saboteur” joined the community in 2021. Since then, he has been making apparently valid contributions to several projects, and since 2022 he has started working with Xz, writes The Guardian. This one saboteur identifies himself as Jia Tan in the account he has maintained on Github since 2021, which says very little about the true identity of the person behind the profile. It could be an individual user, it could be a group serving a State, no one knows yet.
It also remains to be seen what type of attack could result from this, but what is already clear is that the work was done over time, to gain the trust of the community, which in the last two years has dealt with an infiltrator, with purposes that no one yet knows about.
A first attempt to submit changes to xz Utils was submitted by Jia Tan in 2022 and, according to a report by Ars Technica, it even gave rise to some debate about the level of involvement of the programmers responsible for the project in that task and some pressure for it to be accepted. This pressure will have come from another new member of the community.
It was already in February this year that the same user Jia Tan submitted changes to two versions of Xz Utils (5.6.0 and 5.6.1), which introduced the backdoor that has since been detected. This vulnerability allows an attacker to connect to machines running those versions of the software via the SSH protocol and bypass the authentication process to take over the system.
As admitted in statements to Politician Anjana Rajan, White House assistant for cybersecurity, “this is like an insider threat in the open source ecosystem, which we have never seen before”. The often debated weaknesses of an open ecosystem, with software that anyone can see, use, edit or distribute, have also been strengths in the evolution of Linux, which draws on the knowledge of millions of technicians and takes advantage of many eyes to correct errors and failures and make the system evolve.
This time someone, who for many experts can only have the support of a Stateused this mechanic to gain the trust of the community and take advantage of the time constraints of volunteers advancing Linux.
O problem affects several Linux distributions such as Fedora Rawhide, Fedora 40 Beta, Kali Linux, openSUSE Tumbleweed, openSUSE MicroOS and the experimental Debian distributions. A Immediate solution is to downgrade the affected library to previous versions those who have the problem, although some experts say this is still not a 100% reliable guarantee that the problem will be completely contained.
Still, the The fact that this backdoor was discovered before the affected version of xz Utils was added to production versions of Linux means that it “has not affected anyone in real life” Will Dormann, senior analyst at Analygence, told Ars Technica. The same person responsible recognizes, however, that if the flaw had not been discovered at this stage, it could have had “catastrophic effects for the world”.
Tags: engineers curiosity saved world internet attack global impact Computers
--
