Backdoor found in widely used Linux utility breaks encrypted SSH connections


in great shape , Internet backdoor in a string of binary code in the shape of an eye.

getty images

Researchers have found a malicious backdoor in a compression tool that has made its way into widely used Linux distributions, including Red Hat and Debian.

The compression utility, known as xzUtils, introduced malicious code in versions 5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports of those versions being included in any production releases for major Linux distributions, but both Red Hat and Debian reported at least one previous version being used in recently published beta releases. – Tested, unstable and experimental distributions, in particular, Fedora 40 and Fedora Rawhide and Debian. The stable release of Arch Linux is also affected. However, that distribution is not used in production systems.

Because the backdoor was discovered before malicious versions of xz Utils were added to production versions of Linux, “it's not really affecting anyone in the real world,” said Will Dorman, a senior vulnerability analyst at security firm Analysys. said in an online interview. “But that was only because it was detected early due to bad actor negligence. If it had not been discovered it would have been disastrous for the world.”

Several people, including two Ars readers, reported that several apps included in the HomeBrew package manager for macOS depend on the 5.6.1 version of xz Utils with a backdoor. HomeBrew has now reverted the utility to version 5.4.6. Maintainers have more details available here.

breaking ssh authentication

Red Hat officials said in an email that the first hints of the backdoor were introduced in a Feb. 23 update that added obfuscation code. An update the next day included a malicious install script that injected itself into the functions used by sshd, the binary file that makes SSH work. The malicious code resides only in an archived release – known as a tarball – which is then released upstream. So-called GIT codes available in the repository are not affected, although they contain second-stage artifacts that allow injection during build time. If obfuscated code introduced on February 23 exists, artifacts in the GIT version allow the backdoor to operate.

The malicious changes were introduced by Jiati75, one of the two main XZUtils developers with years of contributions to the project.

“Given several weeks of activity, the committer is either directly involved or has had some serious compromise of their systems,” an official at distributor OpenWall wrote in an advisory. “Unfortunately the latter looks like the less likely explanation, as they have communicated on various lists about the 'fix' provided in a recent update.” Those updates and improvements can be found here, here, here and here.

On Thursday, someone using the developer's name went to a developer site for Ubuntu to ask that the backdoored version 5.6.1 be included in production versions because it fixed the bugs that caused it. A tool called Valgrind had malfunctioned.

“This may break build scripts and test pipelines that expect specific output from valgrind to pass,” warned the person from the account created the same day.

One of Fedora's maintainers said Friday that the same developers had contacted them in recent weeks asking that Fedora 40, a beta release, include one of the backdoored utility versions.

The Ubuntu maintainer said, “We also worked with him to fix the Valgrind issue (which it now turns out was caused by a backdoor he added).

He has been part of the xz project for two years, covering all kinds of binary test files, and with this level of sophistication, we would suspect even older versions of xz until proven otherwise.

Maintainers at XyzUtils did not immediately respond to an email asking questions.

The researchers said the malicious versions deliberately interfered with authentication performed by SSH, a commonly used protocol for connecting to systems remotely. SSH provides strong encryption to ensure that only authorized parties connect to remote systems. Backdoors are designed to allow a malicious actor to break authentication and gain unauthorized access to the entire system from there. Backdoors work by injecting code during a critical step of the login process.

“I have not yet analyzed exactly what checks are being done on the injected code to allow unauthorized access,” Freund wrote. “Since it is running in a pre-authentication context, it seems like it could allow some type of access or other types of remote code execution.”

In some cases, the back door has been unable to function as expected. For example, there are incompatibilities in the build environment on Fedora 40 that prevent injection from occurring correctly. Fedora 40 now reverts to 5.4.x versions of xz utilities.

Xz Utils is available for most if not all Linux distributions, but not all of them include it by default. Anyone using Linux should check with their distributor immediately to determine if their system is affected. Freund provided a script to detect if an ssh system is insecure.


About Author

0 Comment

Leave a comment