xz-utils backdoor case
claude.iconA summary of the xz-utils backdoor incident is as follows
On March 29, 2024, a backdoor was discovered in the widely used compression software xz-utils.
The backdoor is believed to have been planted by Jia Tan, the maintainer of xz-utils, who became involved in the development of xz-utils about two years ago and gradually gained its trust.
The backdoor was very cleverly designed and was only triggered under certain conditions. The main targets were Linux systems using systemd and openssh.
Once the backdoor is triggered, it will be possible to bypass ssh authentication and enter the system. However, no other effects are known at this time.
Jia Tan also exhibited suspicious behavior, including using another account to strongly push a patch containing a backdoor.
The main maintainer, Lasse Collin, was on vacation and could not stop Jia Tan's activities. Some have pointed out that the harsh conditions of open source developers are behind the situation.
Jia Tan's GitHub account has been frozen and the backdoor removed, but other impacts are being investigated; numerous systems, including xz-utils, are being investigated and updated.
As described above, this was an attack from within by a developer with whom we have established a long-term relationship of trust, and it is an incident that once again highlights the vulnerability of open source software.
nishio.icon
A "Linux system using systemd and openssh" is a very major infrastructure of the digital society, and a "backdoor" that makes it "hackable" is like a master key that can open any door, to use a non-engineer's analogy.
Fortunately, this time the workmanship was discovered before it was widely introduced, but some are concerned that there may be workmanship that has not yet been discovered due to successful hiding, based on the idea that "things that are easy to find will be found first.
Others believe that the behavior of using compressed software, which is seemingly unrelated to the system to be penetrated and difficult to attract attention, as a clue, and then using the personal circumstances of the main maintainer to commit the crime after long-term trust-building behavior, suggests the existence of a sponsor, such as the state or an antisocial organization, for example, rather than a spontaneous motivation of a single individual. Some people believe that this is the case. There is no clear evidence to determine whether this is conspiracy theory or correct speculation. dmikurube Amazing. Three years of building trust and planting backdoors. It's like a thousand years of work to trick the demon tribe, but there's actually an incentive to do this... [Everything I know about the XZ backdoor https://boehs.org/node/everything-i-know- about-the-xz-backdoor] dmikurube The fact that the maintenance of these things is on the shoulders of individuals, and the fact that it was almost entirely the work of individual craftsmanship that detected them... What can I say? dmikurube But the fact that there was one of these, I guess I should see that there are others. Ugh. dmikurube In the open source culture, there are many people who say "I'm waiting for your contribution", but it is difficult to see examples like this. But when I see examples like this, it's difficult. But as a maintainer, I can't accept it so lightly. dmikurube (I am quite bitter about people who complain like that. Even if I am not the maintainer.) dmikurube In fact, with Embulk, if you can sneak in a little work, you can probably divert data from one company to another. I'm watching it carefully. Many plug-ins are out of our jurisdiction, though. dmikurube I try not to carelessly use third-party actions like GitHib Actions. It's a good target to do something. And typically, Gradle plugins... dmikurube "In April 2022, Jia Tan submits a patch via a mailing list. The patch is A new persona - Jigar Kumar enters, and begins pressuring for this patch to be merged." Wow. I guess those who pressure people to "merge this" should be classified as the same. "In April 2022, Jia Tan submitted a patch via the mailing list. The patch is irrelevant, but the events that follow are irrelevant. A new persona - Jigar Kumar - comes in and starts pressuring us to merge this patch. Wow. I guess those who pressure you to "merge this" should be judged the same way.
dmikurube "Soon after, Jigar Kumar begins pressuring Lasse Collin to add another In the fallout, we learn a little bit about mental health in open source. "Shortly thereafter, Jigar Kumar began pressuring Lasse Collin to add another maintainer to XZ. As a result, we can learn a bit about mental health in open source" Hmmm...
izutorishima wow, they spent 3 years contributing to xz-utils to win their trust and then put a backdoor in... too egregious! ...... I can only say that it was a coincidence that I found it, and if it had gone around to Ubuntu or something, I'd be scared to log in to any public server that sshd's out to without a password.
piro_or The colors.js debacle was about the developers themselves messing things up, not necessarily because it was open source, [WinGroove Incident WinGroove, but it is a story that only open source can tell, where the developer has gained trust through contributions and even commit privileges, and then becomes an attacker. piro_or WinGroove case, could it now be the subject of an investigation for unauthorized electromagnetic recording? nishio Given the law of "a fraud that is found is a fraud that is poorly covered up", you found a remote login backdoor in xz and dealt with it while you still can. I'm glad you were able to do it. ......, but it's more likely that a similar backdoor was planted in something that isn't known and is spreading. https://pbs.twimg.com/media/GJ-URGkaIAALUI9?format=png&name=small#.png
---
This page is auto-translated from /nishio/xz-utilsバックドア事件 using DeepL. If you looks something interesting but the auto-translated English is not good enough to understand it, feel free to let me know at @nishio_en. I'm very happy to spread my thought to non-Japanese readers.