XZ Utils Backdoor Supply Chain Attack Uncovers Similar Vulnerability Incident From Years Ago

The recent revelation of a backdoor in XZ Utils has stirred memories for a developer at F-Droid, an open-source Android app repository, of a past incident. PostgreSQL maintainer Andres Freund raised alarms about a backdoor found in the Liblzma (XZ Utils) data compression library at the end of March. This library is extensively used by developers and comes pre-installed in various Linux distributions. Initially thought to enable SSH authentication bypassing, further scrutiny revealed that it actually facilitated remote code execution, designated as the CVE-2024-3094 vulnerability.

Supply chain attacks on open-source software are not uncommon, but what sets this incident apart is its apparent duration over several years. Hans-Christoph Steiner, an F-Droid maintainer, recalled a similar event in 2020. In that instance, an attempt was made to insert a SQL injection vulnerability, although it was thwarted. The similarity between the two incidents lies in the pressure applied by random accounts to include malicious code.

Steiner believes the attempt to insert the vulnerability was intentional, given the subsequent deletion of the submitter's account. In the XZ Utils case, the backdoor was attributed to an individual named Jia Tan, or JiaT75, who may be a fictitious identity created by a sophisticated threat actor. Jia Tan's involvement in the project began innocuously in October 2021, gradually escalating to significant contributions by mid-2023, potentially in preparation for the backdoor.

The backdoor was eventually added in February 2024 and discovered a month later by Freund, before widespread distribution. Collin, the main developer of XZ Utils, is conducting an investigation into the matter. Dan Lorenc, a software supply chain security expert, warned of such long-term attacks in a podcast in 2022, suggesting that government hacking teams might be involved.

The lingering question is whether similar incidents, possibly orchestrated by the same or different threat actors, will surface in the future. As Collin delves deeper into the investigation, more details are expected to emerge, shedding light on the extent and implications of the XZ Utils backdoor.