Attackers Almost Backdoored Most Linux OSes Worldwide with Supply Chain Attack that Took Years to Set Up

Seemingly unknown attackers have orchestrated a supply chain attack on a ubiquitous Linux library that would have given them backdoor access to most Linux systems worldwide.

Linux rules the world, especially in the server space. It's also the backbone of the Internet, so it's easy to see why attackers would want to compromise the operating system. As an open-source project, Linux is built out of numerous independent libraries and software, each maintained by independent developers.

In fact, many of the most-used libraries in Linux have only a handful of developers working on each one. In some situations, only one person maintains critical libraries, and the same is true for XZ Utils, a data-compression utility in most Linux systems worldwide.

Compromising a single library maintained by a single person is difficult, which is why it took years. The short version is that someone named Jia Tan (unknown if it's a person or a group) created a GitHub account in 2021 and started by submitting a small change to another open-source project, libarchive. As a side note, the change made in 2021 to libarchive is now also being investigated because its true purpose might have been malicious as well.

A year later, in 2022, Jia Tan submitted a change to XZ Utils, and it even sparked a discussion with another unknown person (likely in cahoots with the attacker) about the lack of involvement of the original library developer and maintainers. According to an Arstechnica report, other people in the community, who were also apparently new to the discussion, pressured the XZ Utils developers to let Jia Tan help out.

This leads us to February 2024, when Jia Tan submitted patches for XZ Utils two versions, 5.6.0 and 5.6.1, which actually introduced a backdoor. The attackers could connect via the SSH protocol into a machine and skip the authentication process, giving them full access.

Even worse, the backdoor was only accidentally discovered by another developer, Andres Freund, who was investigating a problem with his Debian installation.

"After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian's package, but it turns out to be upstream," said Freund in a mailing list.

As it turns out, several Linux distributions have been affected by the malicious library, including Fedora Rawhide, Fedora 40 Beta, Kali Linux, openSUSE Tumbleweed, openSUSE MicroOS and Debian (testing, unstable and experimental distributions). The immediate solution was to downgrade to an older version of the library. It will take a long time to determine if the backdoor has compromised various OS installations worldwide.