A backdoor discovered in a very popular software caused panic throughout the weekend. Expertly orchestrated, the attack at the origin of the breach was prepared for several years, like in a real thriller.
A little wind of panic blew throughout the last weekend of March in the tech world. A backdoor allowing you to bypass a critical security protocol and gain remote control of a computer has been discovered, somewhat by chance, within a recent version of a very popular utility in Linux systems. the problem is that if these systems are not the most widespread – or even known – among the general public, they are however omnipresent on the computer servers which constitute the backbone of the Internet, this flaw thus constituting a major danger for the entire industry. But more than the breach itself, it was its implementation that stunned the free software community, with preparation spanning several years and relying on very sophisticated mental manipulation, which finds its roots in a major and much larger problem in the contemporary software industry.
Let’s summarize the facts. Friday April 29, 2024, a performance problem alerted Andres Freund, a Microsoft engineer, who continued his investigations and then discovered a back door in the XZ utility, a file compression and decompression program widely used in the Linux world. The malicious code allows you to bypass the SSH authentication protocol and take remote control of the computer on which it is running. Fortunately, this major flaw is only found in the latest versions of XZ, which have only been deployed in beta versions of some Linux distributions. Alerted, the stakeholders concerned then set about downgrading the XZ version used in their products and communicating the measures to take to their users. The worst is avoided, but investigations begin and reveal a staggering modus operandi which suggests the prepared action of a malicious state actor.
Backdoor XZ Utils: a sophisticated infiltration, prepared for a long time
The XZ utility is an open source project developed and maintained voluntarily for many years by a single person, Lasse Collin. Overworked and lonely, the developer publicly announces his workload to keep the project alive and calls for reinforcements. A good Samaritan presenting himself under the pseudonym Jia Tan then offered his help and began contributing to the project for at least two years. Throughout this period, Lasse Collin was also put under pressure by several users, who pushed him to develop new functions ever more quickly, denigrated his work and even encouraged him to pass on. Exhausted, he ended up appointing the famous Jia Tan as co-maintainer of the project, which then gave him a lot of leeway in terms of adding code. And that’s where the cleverly orchestrated trap closes. Indeed, this angelic contributor and the pressing users are only one and the same person, or more certainly members of the same organization, who have maneuvered jointly to aggravate the burnout from the original developer, pushing him to open the door to his project and thus gaining access to the heart of the machine.
Once there, Jia Tan then incorporated the backdoor code into versions 5.6.x of the XZ utility and began to deploy them across the board with the main Linux distributions such as Debian, RHEL and Arch. Fortunately detected and quickly contained by the reactivity of the open source community, this attack nevertheless reveals one of the main weaknesses of the modern software industry. The entire contemporary IT infrastructure is built on the assembly of successive software bricks, a significant number of which are small projects maintained by a single or a few people, often voluntarily and in their free time. Large lucrative companies, such as the famous GAFAM, do not hesitate to use the work provided free of charge by these developers, without paying them or providing them with the necessary support. As a result, many become exhausted, some give up and others end up accepting the hand extended by a providential benefactor, even if this one is a wolf disguised as Saint Bernard.
Backdoor XZ Utils: structural flaws but a resilient ecosystem
It is still too early to accurately measure the extent and depth of the infiltration carried out by the attackers of the XZ Utils project, and many people in the world of open source and cybersecurity are currently working to trace all the ramifications of this coordinated and long-planned attack. But the XZ Utils case is just the tip of the iceberg and probably not an unfortunate case but an isolated one. On the contrary, it is the symptom of an intrinsically flawed and deleterious functioning of an industry gorged on capturing the free work of passionate but neglected contributors. In November 2021, another flaw of the same type had already shaken the tech world, Log4Shell, named after the Log4j utility that it affected, a software component widely used on web servers. If the case was very different from a technical point of view, the flaw then coming from a design defect in the software itself, its macroscopic implications were however similar: an open source project massively used by those involved in the industry, the maintenance of which was left to the sole care of two volunteer developers and whose failure could have catastrophic consequences.
In this somewhat gloomy picture of the state of the software world in general and open source in particular, we can nevertheless find some comfort and a reason for satisfaction in the particularly effective response which was given to the XZ Utils case. Discovered somewhat by chance by an engineer from a large company, taken seriously and quickly corrected by the affected actors, studied from every angle by numerous people to discover its ins and outs, the XZ Utils backdoor demonstrates that collective intelligence, knowledge sharing and mutual vigilance, fundamental values of open source and free software, are robust and effective operating principles. It now remains to build a fair and equitable economic system, which allows its stakeholders to work peacefully, without exhausting themselves and slowly destroying themselves.