On March 29th, 2024, a bug was reported by Andres Freund who was benchmarking sshd and noticed a regression in its performance. They found that there was a backdoor in the xz tarballs that distros use to build xz. The exploit uses autotools, m4, and “testing data” to create the exploit that hooks into systemd and tries to unencrypt incoming sshd connections.
Xz had one maintainer, Lasse Collins, who was burnt out and maintaining the project since 2009. The malicious actor in question used a few aliases to persuade the sole maintainer to accept a new maintainer for xz, since “pull requests were neglected”. The persona that took on this role was called “Jia Tan”, and after becoming sole maintainer of xz, implemented the exploit in a few different steps.
This backdoor was for xz version(s) 5.6.0 and 5.6.1. Most distros were still on 5.4.X, so they were ok. As well, This exploit was only for x86_64 linux, with glibc systems. The affected main systems were debian testing and unstable, and fedora 40, as those had already accepted xz versions 5.6.0+ into their repos. Termux was also affected, although debian pushed an “upgrade” which reverted the xz version back to 5.4.5.
Given the work put into masking this exploit, it is possible there are other exploits still lurking.
Mainly the same lesson as the OpenSSL vulnerabilities – xz is just a “hobby” project, according to Lasse Collins, and given that it has hooks into systemd and can arbitrarily infect PID 1, it probably needs more support. Maybe some corporate backing can fork it like with OpenSSL + contribute back to upstream.
Also, it’s important to know what software a project is running – tools like SBOMs (Software bill of materials) which list out all dependencies for a project, or a container would assist and determining compromised systems faster.