‘XZ Utils’ Open-Source Software Threat Prompts Concern

Andres Freund, a software engineer with Microsoft, discovered a backdoor inserted into two versions of the XZ Utils data compression software, which is used in a variety of Linux distributions. Although the vulnerability (CVE-2024-3094) was caught early, it has sparked a conversation about open-source software’s role in the supply chain and potential risk.

How was this backdoor inserted, and how can it get enterprise security leaders to think about the way their organizations rely on open-source software?

A Social Engineering Campaign

The malicious code compromises versions 5.6.0 and 5.6.1 libraries, according to open-source software company Red Hat. The code, only included in the tarball download package, “… could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely,” according to a Red Hat blog.

This supply chain compromise was the result of a carefully executed social engineering attack. Jia Tan (JiaT75), the main actor involved, created a GitHub account in 2021. Over the next two years, the actor made themselves a useful member of the open-source community.

Lasse Collin, the original maintainer of the open-source project, began to receive criticism regarding slow updates. Jia Tan was ready to step into a maintainer role, opening the door to injecting the malicious code. It is uncertain if the users behind the complaints were collaborating with Jia Tan, Wired reports.

Related:‘Who You Gonna Call?’ OSS Security Stakeholders Urged to ‘Cross Streams’

This long-term campaign was likely the work of more than one person, potentially an APT group. “The attack itself represents coordinated social engineering and technical sophistication. Not only did the attackers work on obtaining access for about two years, but they also made an effort to develop test code that was useful for the project,” Kevin Reed, CISO of Acronis, a cybersecurity and data protection company, tells InformationWeek in an email interview. “The backdoor is outstanding from the software engineering perspective. It consists of multiple stages and clearly required significant effort to develop.”

A Potential Disaster Averted

While this XZ Utils compromise has set off alarm bells throughout the security community, the impact could have been much worse. “I don’t think that there’s much to be concerned because this particular backdoor didn’t make it into main line distributions. It was caught early on,” explains Mehran Farimani, CEO of RapidFort, a vulnerability management company.

But this incident does serve as a warning. What would happen if a backdoor like this went unnoticed for longer?

Related:Recent Ivanti Vulnerabilities: 4 Lessons Security Leaders Can Learn

This backdoor would allow threat actors unauthorized access to impacted systems and give them remote code execution capabilities. The “malicious library was executing inside the OpenSSH server process,” according to Reed.

“OpenSSH is ubiquitous on Linux of all kinds, from HPC to cloud servers to even IoT devices. I just did a quick Shodan search and over 19 million OpenSSH servers were discovered online (compare it to just 3 million RDP servers),” he explains.

A vulnerability like this, one that impacts a widely used open-source software, has the potential for a widespread ripple effect.

“There are systems built up on the open-source software and these systems … support other systems and the vendors and so on and so forth. So, we see a rippling effect when something goes wrong on these open-source software systems,” says Ferhat Dikbiyik, PhD, chief research and intelligence officer at cyber intelligence company Black Kite.

Responding to the Risk

The Cybersecurity and Infrastructure Security Agency (CISA) recommends potentially impacted users to downgrade their organizations’ XZ Utils and to search for any evidence of malicious activity within their environments. Binarly, a firmware security company, released a free XZ backdoor scanner.

Related:Enterprise Security Gets Personal: Enter the Human Firewall

Security teams may be able to breathe a sigh of relief, but that doesn’t mean that this type of incident could not play out differently in the future.

“Use this as a tabletop exercise,” Nate Warfield, director of threat research and intelligence at Eclypsium, a zero-trust supply chain risk management company, suggests. “Use this dodged bullet to … prepare your teams for what it may look like the next time.”

The Future of Open-Source

Does this supply chain compromise mean enterprise security should be reconsidering the use of open-source software?

“I think it would be silly to say, ‘Hey, we’re just not going to use open source,’ because the impact would be huge to any organization. Open source has been instrumental in sort of moving the entire software industry forward at a much faster pace,” argues Farimani.

This incident, while alarming, is not necessarily unique to open-source software. “This is something that is no different than if you had a malicious insider at a major tech company,” says Warfield.

Dependence on third-party software, open-source or otherwise, is a necessity for more enterprises. And that means recognizing and managing that risk is a necessity, too. Understanding what is running in an enterprise’s environment is essential, although that issue becomes increasingly complex in large environments.

But there are tools, such as vulnerability scanners, available to help enterprise security teams understand what software is being used in their environments and what potential risks they pose. Dikbiyik also stresses the importance of risk intelligence tools.

“Tools are available and they are becoming a lot more sophisticated and capable in the market,” says Farimani. “The industry has to respond and adopt those tools a little quicker than they’re doing,”

If reliance on open-source software is to remain essential for enterprises, should businesses play a more proactive part in reducing risk?

“A lot of these projects are maintained by maybe one or two people. They might have an actual full-time day job. They have to pay the bills,” explains Warfield. “Large companies are very happy to take and use open-source and build products that run on top of open-source, but they’re not doing a good job of contributing back to it.”