CISA sounds alarm on deep-seated vulnerability in Linux tool

Prostock-Studio/Getty Images

The malicious code was introduced by a user that has long-contributed to the open-source ecosystem.

The Cybersecurity and Infrastructure Security Agency issued an alert Friday warning of a previously unnoticed backdoor in a widely used Linux tool that compresses and encrypts files shared between parties.

If allowed to propagate, the backdoor could have rendered the open-source Linux ecosystem ripe for exploitation by hackers. The mechanism targeted is a Secure Shell — or SSH — tool, which compresses and scrambles data sent over a connection. A weakness there could allow hackers to gain access to entire systems by allowing them to bypass authentication mechanisms used in the SSH encryption process.

A malicious actor planted a vulnerability into XZ Utils, a Linux file compression and transfer capability. The sinister code was rolled into two recently released versions of the tool, but only certain beta versions of Linux offerings are exposed, according to a March 30 analysis from Red Hat, a cybersecurity company that provides a commercial Linux distribution.

The malicious code was introduced in a Feb. 23 update containing a self-installation script that would have enabled the vulnerability to plant itself into production versions of Ubuntu, which is a Linux distribution used in IT stacks by major companies like Instacart, Slack and Robinhood.

“CISA recommends developers and users to downgrade XZ Utils to an uncompromised version — such as XZ Utils 5.4.6 Stable — hunt for any malicious activity and report any positive findings to CISA,” the agency said in its alert.

The flaw was discovered by Microsoft engineer Andres Freund, who documented the technical findings on Friday. Other Linux distribution communities have been quickly alerting users to the vulnerability, helping to avert what might have been a much more pervasive problem.

Notably, the malicious code was introduced by a user who has long-contributed to XZ builds. Because the tool is open-source, the capability relies on contributions from community members who keep it up to date through patches and regular updates.

A user known as “Jia Tan” reported a bug March 28 requesting that the version of the software be updated with the malign code, justifying it would fix issues in Debian, another Linux distribution whose community sells itself as an entirely free-to-use operating system.

The repository that stores the exploit has since been shuttered as GitHub works to assess the potential ramifications of how or where the malicious build could have been inadvertently incorporated into Linux offerings.

One Ubuntu maintainer said the user “has been part of the xz project for two years, adding all sorts of binary test files, and with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise,” Ars Technica reported Friday.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund wrote in his analysis. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’ mentioned above.”

The event is likely to reinvigorate debates in Washington over the safety and security of open-source tools. The discussions have already become a flash point in AI policy talks as lawmakers and the tech industry tussle over how accessible AI systems should be made to the general public.

There are suspicions that the actor could have been affiliated with a nation-state cyber collective, Politico reported Monday, adding that the FBI and NSA are likely to investigate the incident.