Timeline summary of the backdoor attack on XZ Utils



On March 29, 2024, it was revealed that the compression tool '

XZ Utils ' had a malicious backdoor. Google engineer Russ Cox has compiled a chronological summary of how the backdoor was installed.

research!rsc: Timeline of the xz open source attack
https://research.swtch.com/xz-timeline



XZ Utils and the backdoor it installed are explained in the article below.

It was discovered that a malicious backdoor was installed in the built-in compression tool 'XZ Utils' of Linux distributions such as Red Hat and Debian - GIGAZINE



The attacker who carried out the XZ Utils attack, going by the name 'Jia Tan,' had been an active contributor to XZ Utils for several years, beginning around late 2021, and was eventually granted commit access and maintainership. Jia Tan used his privileges to install a carefully hidden backdoor into XZ Utils, allowing him to execute arbitrary commands on target systems.

◆October 29, 2021
Jia Tan submitted the first harmless patch to the xz-devel mailing list.

◆November 29, 2021 to April 19, 2022
Jia Tan has sent out a number of harmless patches during this period.

◆April 22, 2022
Someone named 'Jigar Kumar' sent an email complaining about Jia Tan's patch not being delivered.

◆May 19, 2022
XZ Utils maintainer Lasse Collin apologized for the delay, saying that 'my resources are too limited and something needs to change in the long term,' and hinted at handing over to Jia Tan.

◆May 27, 2022 and June 7, 2022
Jigar Kumar wrote a complaint about the delay in patches, stating that 'Nothing will move forward until a new maintainer appears. The current maintainer has lost interest and is not going to maintain it any more.'

◆June 8, 2022
Colin responded, 'I haven't lost interest, but my ability to care is quite limited, mainly due to long-term mental health issues.' He added that he highly values Jia Tan, saying, 'I've worked with him a bit on XZ Utils recently, and I think he'll probably play a bigger role in the future.'

◆June 10, 2022
Collin merged the first commit with git metadata authorship attributing Jia Tan.

◆June 14, 2022
Jugar Kumar sent another email applying pressure, saying 'At the current rate, it is doubtful 5.4.0 will be released this year. There is no need to wait until 5.4.0 to change maintainers. Why delay something that the repository needs?'

◆June 21, 2022
A person calling himself Dennis Ens wrote, 'I'm sorry about your mental health issues, but it's important to recognize your own limitations. I understand this is a hobby project for all contributors, but the community wants more than that,' and suggested transferring the maintainership of either XZ for Java or XZ for C to someone else.

◆June 22, 2022
Jigar Kumar pressed Colin with an email asking 'Is there any progress? I see there have been some recent commits, why can't you commit yourself?'



◆June 29, 2022
Colin emailed me saying that 'Jia Tan is effectively already a co-maintainer' and that 'a maintainership change is underway for XZ Utils.'

◆Jia Tan has been appointed as maintainer
Sometime during this period, Jia Tan gained maintenance privileges.

Both Jigar Kumar and Dennis Ens used email addresses in the format 'nameNNN@mailhost', which did not appear anywhere else on the Internet. Cox, who conducted the timeline analysis, said, 'We believe these two were fakes created to encourage Colin to give Jia Tan more control.'

◆From September 27, 2022
Jia Tan began his work as a maintainer, giving an overview of the 5.4.0 release.

◆June 22, 2023
Someone calling himself Hans Jansen submitted a patch that uses the 'GNU indirect function' feature to select a fast CRC function at startup. This change provides a hook for the backdoor code to modify the global function table before it is remapped read-only. This patch was then merged by Jia Tan after Colin's work.

◆July 7, 2023
Jia Tan disabled ifunc support in the oss-fuzz build, stating that 'ifunc is incompatible with address sanitizer.' While this change was likely harmless in itself, it laid the foundation for the later use of ifunc.

◆January 19, 2024
Jia Tan has moved the website to GitHub Pages, giving him control over the XZ Uitls web pages.

◆ February 23, 2024: Attack begins
Jia Tan has hidden and merged the backdoor binary code into several binary test input files, many of which are created manually using a hex editor and are not carefully reviewed.

◆February 24, 2024
Jia Tan tagged and built v5.6.0 and released xz-5.6.0.tar.gz, which contains a build-to-host.m4 that adds the backdoor. This m4 file is not present in the source repository, but this is not suspicious since many other legitimate files are added during packaging. However,

the script was modified to add the backdoor .

On the same day, a crash in 5.6.0 was reported to Gentoo's bug report, but it was not a backdoor bug, but rather a bug caused by a change in ifunc made by Hans Jansen.

◆February 26th and 28th, 2024
Debian has added xz-utils 5.6.0-0.1 and xz-utils 5.6.0-0.2 to unstable.

◆February 28, 2024
Jia Tan added a typo to the program that checks for support for Landlock, a per-process access control mechanism, so that it always determines that Landlock is not supported.

◆February 29, 2024
A pull request was submitted on GitHub to stop the linking of liblzma to libsystemd . The backdoor in question was via liblzma, and this change would prevent the attack, which may have accelerated the attacker's schedule.

◆March 4, 2024
Red Hat distributions started experiencing Valgrind errors in _get_cpuid in liblzma, the backdoor entry point for this vulnerability. The race was on to fix this before Linux distributions dug deeper into the issue.



◆March 5, 2024
The pull request to stop linking to libsystemd has been merged and liblzma has been removed, now another race is on to introduce a backdoor into liblzma before distributions completely break the approach.

On the same day, Jia Tan committed two ifunc bug fixes, which appear to be legitimate fixes for real ifunc bugs.

◆March 8, 2024
Jia Tan has committed what he calls a fix for Valgrind, which Cox describes as 'misguided but effective.'

◆March 9, 2024
Jia Tan has committed an updated backdoor file and modified two test files containing the attack code. Jia Tan has also built v5.6.1 and published the xz 5.6.1 distribution, which contains the new backdoor.

◆March 20, 2024
Collin sent a patch to the Linux kernel mailing list that adds Jia Tan to the maintainers of the xz compression code in the kernel. There is no indication that Collin did anything malicious; he simply corrected the reference to himself as the sole maintainer.

◆March 25, 2024
Hans Jansen, who previously updated the ifunc code, has returned and filed a bug with Debian to update xz-utils to 5.6.1. As with the 2022 'pressure campaign,' numerous users with email addresses of the form 'name###@mailhost' that do not exist anywhere else on the Internet posted in defence.

◆March 28, 2024
Jia Tan filed a bug in Ubuntu to update xz-utils to 5.6.1.

◆ March 28, 2024: Attack discovered
Andres Freund discovered the bug and privately notified Debian and distros@openwall. Red Hat assigned it CVE-2024-3094. Debian rolled back 5.6.1 and released 5.6.1+really5.4.5-1.

◆March 29, 2024
Freund disclosed the existence of the backdoor in a post to oss-security@openwall, stating that he had 'discovered a backdoor in the past few weeks.'

Red Hat also disclosed that it shipped the backdoor in Fedora Rawhide and Fedora Linux 40 beta.

◆March 30, 2024
Debian has rebuilt their build machines using Debian stable.

◆ Forum is currently open
A forum related to this article has been set up on the official GIGAZINE Discord server . Anyone can post freely, so please feel free to comment! If you do not have a Discord account, please refer to the account creation procedure article to create an account!

• Discord | 'Do you think cases like the XZ Utils backdoor attack have occurred in other software?' | GIGAZINE
https://discord.com/channels/1037961069903216680/1225011071434362972

in Software, Posted by log1d_ts