How a volunteer stopped a backdoor from exposing Linux systems worldwide

Linux, the most widely used open source operating system in the world, narrowly escaped a massive cyberattack over Easter weekend thanks to a volunteer.

The backdoor was inserted into the recent release of a Linux compression format called XZ Utilities, a tool that is little known outside the Linux world but is used in almost every Linux distribution to compress large files, allowing them to be transferred. It becomes easy to do. Had it spread more widely, countless systems could have been put at risk for years.

and as Ars Technica Its detailed recap mentions that the culprit was working on this project in the open.

The vulnerability inserted into Linux's remote log-in exposes only a single key, so it can be hidden from scans of public computers. As Ben Thompson writes stratcherry, “Most of the world's computers would be unsecured and no one would know.”

The story of the discovery of the “SSH Server Compromised.”

Freund, who volunteers as a “maintainer” for PostgreSQL, a Linux-based database, noticed some strange things over the past few weeks while running tests. The encrypted logins in liblzma, part of the XZ compression library, were using a ton of CPU. Freund wrote on Mastodon, revealing nothing from any of the performance instruments he used. This immediately made him suspicious, and he remembered a “strange complaint” from a Postgres user a few weeks earlier about valgrind, the Linux program that checks for memory errors.

After some digging, Freund finally figured out what was wrong. “The upstream Xyz repository and Xyz tarball have been backdoored,” Freund said in his email. The malicious code was in versions 5.6.0 and 5.6.1 of the xz tools and libraries.

Shortly afterward, enterprise opensource software company Red Hat sent out an emergency security alert to users of Fedora Rawhide and Fedora Linux 40. Ultimately, the company concluded that the beta version of Fedora Linux 40 contained two affected versions of the xz libraries. Fedora Rawhide versions will likely also receive versions 5.6.0 or 5.6.1.

Please immediately stop using any Fedora Rawhide instances for work or personal activity. Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that happens, Fedora Rawhide instances can be safely redeployed.

Although the beta version of Debian, the free Linux distribution, included compromised packages, its security team worked quickly to get them back. “No Debian stable versions are known to be affected at this time,” wrote Debian's Salvatore Bonaccorso in a security alert to users on Friday evening.

Freund later identified the person who submitted the malicious code as one of the two main xzUtils developers, known as JiaT75 or Jia Tan. “Given several weeks of activity, the committer is either directly involved or has had some serious compromise of their systems. “Unfortunately the latter looks like the less likely explanation, as he has communicated on various lists about the “improvements” mentioned above,” Freund wrote in his analysis, after linking to several solutions made by Giati75.

Giati75 was a familiar name: he had worked for some time alongside Lasse Collin, the original developer of the .xz file format. As programmer Russ Cox noted in his timeline, jiati75 started by sending an apparently legitimate patch to the XZ mailing list in October 2021.

Other weapons of the scheme came to light a few months later, when two other identifiers, Jigar Kumar and Dennis Enns, began emailing Colin complaints about bugs and the slow development of the project. However, as reported by Ivan Bohs and others, “Kumar” and “Ans” were never seen outside the XZ community, leading investigators to believe both are fakes that only Jia Tan were present to help in case the code was distributed through the backdoor.

An email from “Jigar Kumar” pressuring the developer of XZ Utils to give up control of the project.
Image: Screenshot from The Mail archive

“I'm sorry about your mental health issues, but it's important to be aware of your boundaries. I think this is a hobby project for all contributors, but the community wants more,” Enns wrote in one message, while Kumar said in another that “no progress will be made unless there is a new maintainer.” Will happen.”

Amid this back-and-forth, Collins wrote that “I have not lost interest, but my ability to care is largely limited, mostly because of long-term mental health problems, but also because of a few other things,” and suggested That Jiya will tan. On a bigger role. “It's also good to keep in mind that this is an unpaid hobby project,” he concluded. Emails from “Kumar” and “Ans” continued until Tan was added as a maintainer later that year, who was able to make changes, and allow the backdoor package to become a Linux distribution with greater authority. I used to try to bring in.

The XZ backdoor incident and its consequences are an example of both the beauty of open source and a striking vulnerability in the Internet's infrastructure.

A developer behind FFmpeg, a popular open-source media package, shed light on the problem in a tweet, saying, “The Axe fiasco has shown how reliance on unpaid volunteers can create big problems. Trillion-dollar corporations expect free and immediate assistance from volunteers.” And they brought receipts detailing how they dealt with “high priority” bugs affecting Microsoft Teams.

Despite Microsoft's reliance on its software, the developer writes, “After politely requesting a support contract from Microsoft for long-term maintenance, they offered a one-time payment of a few thousand dollars instead…Investment in maintenance and stability ineffective And it's likely a middle manager won't get their promotion but will get paid a thousand times over several years.”

Details of who is behind “JiaT75,” how they executed their plan, and the extent of the damage are being explored by an army of developers and cybersecurity professionals on social media and online forums. But this happens without direct financial support from many companies and organizations that benefit from being able to use secure software.

Leave a Comment

“The Untold Story: Yung Miami’s Response to Jimmy Butler’s Advances During an NBA Playoff Game” “Unveiling the Secrets: 15 Astonishing Facts About the PGA Championship”