xz backdoor: software vulnerability development and discovery

NB! Technically,the XZ backdoor is not an “AI case”. However, the case highlights human aspects of software systems which remain relevant for any other software development context, including AI.

quick overview of the case

On 29 April 2024, a developed announces in OSS mailing list the discovery of a malicious backdoor in XZ Utils. On further inquiry it turns out that the vulnerability was systematically and covertly introduced as a result of 2-3 years of social engineering by at least one or several persons / accounts. Over that time, the maintainer of XZ was approached by a character “Jia Tan” who worked to gain trust by making benign contributions, then became the co-maintainer of XZ. From January 2024, “Jia Tan” introduced the malicious changes that contained the backdoor system. The backdoor code was hidden so that it was not apparent in the publicly available code repository (kept on GitHub). Instead, the malicious codes were covertly loaded and executed from the test files.

lcamtuf 2024. ‘Techies vs Spies: The Xz Backdoor Debate’. Substack newsletter. Lcamtuf’s Thing. 30 March 2024. https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor.

Quote: “More fundamentally, the xz backdoor isn’t a technical problem and it probably can’t be solved with technology alone. To a large extent, it’s a counterintelligence challenge…”

timeline of discovery

29 March 2024, Good Friday

• In oss-security [open source software security] list, Andres Freund announces the discovery of a software vulnerability in XZ Utils, an upstream software package/dependency used in various Linux-based operating systems.

Security implications: the vulnerability is not (yet) published as a part of major systems (Linux distributions), but was in some beta versions already.

• NIST assigns XZ a CVE (Common Vulnerabilities and Exposures) ID number CVE-2024-3094 with the maximum security threat score of 10 [critical].

30 March 2024

“xz/liblzma: Bash-stage Obfuscation Explained”, an initial technical overview of the backdoor’s functions by Gynvael Coldwind

TechHara. ‘Possible Backdoor on Your System— Check Your Xz Version Immediately’. Medium (blog). 30 March 2024. https://medium.com/@techhara/possible-backdoor-on-your-system-check-your-xz-version-immediately-6d91b0b8f17c.

April 2024

Hern, Alex. ‘TechScape: How One Man Stopped a Potentially Massive Cyber-Attack – by Accident’. The Guardian, 2 April 2024, sec. Global. https://www.theguardian.com/global/2024/apr/02/techscape-linux-cyber-attack.

The Economist. ‘A Stealth Attack Came Close to Compromising the World’s Computers’, 2 April 2024. https://www.economist.com/science-and-technology/2024/04/02/a-stealth-attack-came-close-to-compromising-the-worlds-computers.

Greenberg, Andy. ‘The Mystery of “Jia Tan,” the XZ Backdoor Mastermind’. Wired, 3 April 2024. https://www.wired.com/story/jia-tan-xz-backdoor/.

12 April 2024

Initial analysis by Kaspersky

vocabulary

backdoor

In infosec parlance, a backdoor is a software vulnerability that allows bypassing normal authentication and/or encryption methods (username, password, etc).

Read about backdoor in Wikipedia »

dependency

threat and social engineering timeline

29 Oct 2021

The actor “Jia Tan” appears and makes an innocent, helpful contribution (a “patch”) to the xz project. (See e-mail message in xz mailinglist.)

19 May - 29 Jun 2022

Various personas appear in the xz mailinglist and complain about the maintenance (slow updating schedule etc) of the XZ project. On 7 Jun 2022, a “Jigar Kumar” presses for a new maintainer, using emotional blackmail: “Submitting patches here has no purpose these days. The current maintainer lost interest or doesn’t care to maintain anymore. It is sad to see for a repo like this.” The maintainer (Lasse Colllin) replies to the emotional blackmail on Jun 8 and also mentions that “Jia Tan” has been helping. A week later, on 14 Jun 2022, “Jigar Kumar” again replies with more emotional blackmail, with the purpose of speeding up the maintainer change: “You ignore the many patches bit rotting away on this mailing list. Right now you choke your repo. Why wait until 5.4.0 to change maintainer? Why delay what your repo needs?” 21 Jun 2022 a “Dennis Ens” repeats the suggestion for maintainer change.On 29 Jun 2022, Lasse concedes that finding a co-maintainer is a possibility and that it could be the “Jia Tan” persona.

2024

19 Jan - JiaT75 github account takes over the maintenance of XZ website timeline

23 Feb - the malicious script is added as test files 24 Feb - new version (XZ 5.6.0) release

9 Mar - anoother new version (XZ 5.6.1) released, contains additional malicious code

28 Mar 2024: “bug is discovered, Debian and RedHat notified” (according to Kaspersky analysis)

29 Mar: notification of backdoor in OSS Security mailing list