0
0
Malicious Backdoor Discovered in Widely Used Linux Distributions
Researchers recently uncovered a malicious backdoor in a compression tool that managed to infiltrate several popular Linux distributions, including those developed by Red Hat and Debian. The compromised compression utility, known as xz Utils, incorporated the malicious code within versions 5.6.0 and 5.6.1, as reported by Andres Freund, the developer who first detected the issue. While there have been no reported instances of these versions appearing in major Linux distributions’ production releases, both Red Hat and Debian acknowledged that recently published beta versions utilized at least one of the compromised versions in Fedora Rawhide and Debian’s testing, unstable, and experimental distributions. Although the stable release of Arch Linux is also impacted, it is important to note that it is not commonly utilized in production systems.
Despite the discovery of the backdoor before the tainted versions of xz Utils were incorporated into operational Linux distributions, Will Dormann, a senior vulnerability analyst at Analygence, emphasized the potential severity of the issue had it not been detected promptly. Dormann highlighted that had the malicious code gone unnoticed, the consequences could have been catastrophic.
The Impact on macOS HomeBrew Package Manager
Additionally, several individuals, including two Ars readers, noted that various apps integrated into the HomeBrew package manager for macOS were dependent on the compromised 5.6.1 version of xz Utils. Subsequently, HomeBrew has reverted to version 5.4.6 to mitigate any potential risks posed by the backdoor.
Compromising SSH Authentication
The introduction of the malicious backdoor traces back to an update on February 23, characterized by the addition of obfuscated code, as outlined by Red Hat officials in correspondence. Subsequent to this, an update on the following day included a malevolent install script that injected itself into the functions utilized by sshd, the essential binary file enabling Secure Shell (SSH) functionality. Noteworthy is the fact that the malicious code was exclusively present in the tarballs of the archived xz Utils releases, rather than in the GIT code accessible through repositories. However, the GIT versions contained secondary artifacts enabling the code injection during the build process. The injected obfuscated code, coupled with the artifacts in the GIT version, facilitated the operation of the backdoor.
JiaT75, one of the primary xz Utils developers with an extensive history of contributions to the project, submitted the malicious changes. Freund noted a pattern of sustained activity over several weeks, suggesting direct involvement of the committer or a severe breach of their system.
On another front, an individual purporting to be the developer in question requested that the compromised version 5.6.1 be integrated into production versions, citing bug fixes related to the functionality of Valgrind. This appeal was made through an account created on the same day on a developer platform for Ubuntu. As this situation unravelled, it was revealed that the same developer reached out to Fedora maintainers, seeking the incorporation of the compromised utility versions into Fedora 40’s beta release. The maintainer for Ubuntu expressed skepticism given the sophistication displayed and the individual’s extended involvement with the xz project.
Consequences and Recommendations
The backdoor within the malicious versions deliberately undermines the authentication mechanisms established by SSH, a widely used protocol for remote system connectivity. By exploiting this backdoor, malicious actors could compromise the authentication process and illicitly access the entire system. The injected code operates at a critical juncture in the login process, potentially paving the way for unauthorized access or remote code execution. While in some cases the backdoor failed to function as intended, vigilance remains paramount.
It is imperative that Linux users verify with their respective distributors whether their systems are vulnerable to this security flaw. Freund shared a script to help users assess the vulnerability of their SSH systems, underscoring the necessity of proactive measures to mitigate potential risks
.
Image/Photo credit: source url
