CVE-2024-3094 Explanation of the XZ Backdoor

This article will be a bit different from the previous ones. Recently, there has been a lot of talk about a new vulnerability discovered on March 29, 2024, within the Open-Source XZ library, classified as CVE-2024-3094. The vulnerability turned out to be a true backdoor intentionally and fraudulently inserted by one of the contributors to the Open-source project to allow the authors of the backdoor to have unauthorized access to Linux systems where it was installed.

This issue has sparked a heated debate: All Open-source services and programs are maintained by individuals or groups of maintainers who, based on mutual trust, contribute to various projects. In the case of the backdoor inserted into XZ, we have seen an example of what can happen if one of these maintainers who has earned trust over the years manages to insert such a backdoor.

What is XZ used for?

XZ is a high-performance data compression format and is often used to compress large file archives, such as system images, data archives, or distributable software.

The main maintainer is Lasse Collin.

How does the Backdoor work?

The XZ library, called "libzma," is used by many programs within Linux, and one of these programs is OpenSSH, an open-source application that provides a suite of tools for secure and remote connection to Unix-like systems via the SSH (Secure Shell) protocol. It is primarily used to securely access remote servers and to transfer files encrypted over a network.

Inside the XZ library, files have been inserted that corrupt the authentication system of OpenSSH to allow those who control this backdoor to access via SSH (Secure Shell).

For now, I don't want to be too technical but want to explain to you in broad terms how the backdoor works.

The user who inserted these files into xz/libzma was the GitHub user Jia Tan (jiaT75).

JiaT75's Story

Jia Tan's account was created in 2021 on GitHub.com, and from the beginning, he tried to earn the trust of Lasse Collin. On February 6, 2022, he was allowed to make his first contribution to the XZ project.

The first tests to see if Jia Tan could corrupt the library were done in June 2023, and having not aroused any suspicion, he continued with his plan.

On February 16, 2024, he uploaded the file "build-to-host.m4" inside the library. This is the macro file that will execute the scripts to compromise OpenSSH.

Finally, on March 9, 2024, he added the last 2 files "tests/files/bad-3-corrupt_lzma.xz" and "tests/file/good-large_compressed.lzma." These will be executed by the .m4 macro inserted the previous month.

These scripts were well hidden through various encryptions and stage to prevent them from being detected. The end result is a file called "liblzma_la-crc64-fast.o" that will be compiled and is the file that compromises OpenSSH.

I leave you a comprehensive article if you are interested in the entire obfuscation process: https://gynvael.coldwind.pl/?lang=en&id=782

The "liblzma_la-crc64-fast.o" file interferes (man-in-the-middle style) with the authentication function of SSH certificates by intercepting all the keys presented, to let legitimate keys pass or when a fraudulent key is presented to open the connection and let the false key pass as legitimate.

It took more than 3 years to reach this backdoor, but fortunately, the community noticed this bad episode.

Andres Freund, principal software engineer at Microsoft, discovered this backdoor after noticing a delay in SSH connection due to the authentication key check presented and immediately informed the community on March 29, 2024.

Despite this, many questions have arisen from this episode: How many other Open-source projects are at risk or have already been compromised?

I hope this short article has clarified or explained some doubts about this critical vulnerability recently discovered and why it is being talked about so much.