Quick Links
Are you a Linux user? If so, you’ll want to take note of a security issue affecting heaps of the most popular Linux distros, covering everything from Arch, Debian, Fedora, and more.
The XZ Utils backdoor is a serious issue affecting potentially millions of Linux systems, and this is how you can keep your hardware safe.
What Is the XZ Utils Backdoor?
XZ Utils is an open-source suite of file compression and decompression utilities that is widely deployed on Linux systems, similar to ZIP. Before the revelation of the backdoor, it enjoyed a good reputation for its efficiency in the Linux community.
The backdoor in XZ has attracted a lot of attention because of the tool’s ubiquity and how the attacker managed to infiltrate the open-source ecosystem.
The backdoor attack seems to be a case of an attacker playing a long game, taking years to pull it off. The attacker, who used the name “Jia Tan” but whose actual identity appears unknown, approached XZ’s original developer, Lasse Collin, whose software update schedule was running behind. Collin, citing mental health issues, eventually ceded maintainership to the attacker after apparent pressure from a possible accomplice, according toRob Mensching.
The suspected attacker then inserted the backdoor to hook intoSSH, which is widely used on Linux systems for remote access. This might have gone unnoticed had Microsoft developer Andres Freund noticed that SSH was performing worse than it should have. The problem was traced to versions 5.6.0 and 5.6.1.
The backdoor allows an attacker to take over a remote system, and with XZ’s and SSH’s ubiquity, this could have made a large-scale attack possible. After the XZ backdoor was discovered, GitHub terminated the primary developer’s account, and the project’s home page has also disappeared.
The attacker’s apparent success at covering their tracks and the sophistication of assuming the role of an open-source developer has led to speculation among security researchers that the backdoor may have been perpetrated by a nation-state such as Russia or China, though there appears to be no hard evidence as of yet, according toWired.
Which Linux Distros Are Affected by the XZ Utils Backdoor?
The XZ backdoor mainly targeted Red Hat and Debian/Ubuntu distributions, as these are the most widely deployed in enterprise companies. However, distros that include newer software, such as Arch Linux, Gentoo, Fedora, and the Testing and Unstable variants of Debian, were the most affected, as they were more likely to include the affected versions of XZ.
Since enterprise deployments of Linux tend to favor stable distros, they appear not to be affected at the moment. Debian said that the Stable version, which is the one available for download from their website by default, was not affected. Red Hat Enterprise Linux and Ubuntu also appear to be unaffected.
How to Protect Your Linux Machine From the XZ Utils Backdoor
The best way to protect yourself in the short term, no matter what distro you use, is to keep it updated through your package manager’s update utility. When the XZ backdoor was discovered, Linux distros acted quickly, pushing out system updates to downgrade the XZ Utils version installed on the system if necessary.Bleeding-edge distroslikeArchalso urged their users to update as soon as possible.
The attack raises unsettling questions about the management of open-source projects. Like many other open-source projects, XZ Utils is a widely used piece of software maintained by a single unpaid developer. A similar problem led to theHeartbleed bug that affected OpenSSHin 2014.
Projects like this are a component of almost all Linux distributions, and such open-source projects are also common in commercial software. If you check the “About” sections of many common software programs, like Spotify or Google Chrome, you’ll find that they also use many open-source components under the hood. XZ Utils is included in Chrome.
Developers use these tools because they make their jobs much easier since they don’t have to write every part of a program from scratch.
Going forward, users and companies are going to have to reevaluate their relationships with the open-source software they rely on. This could range from greater vetting of open-source developers as well as finding ways to compensate developers, asRob Mensching suggests, so they don’t suffer as much from burnout.
It seems almost certain that there will be more scrutiny of open-source development in the wake of this attack.
