Linux got wrecked by backdoor attack

Fireship
1 Apr 202404:32

Summary

TLDRThe open source community faces a critical security crisis as a sophisticated supply chain attack compromises the XZ compression tool, affecting numerous Linux distributions. The attack, which grants unauthorized code execution via a secret backdoor, is discovered by software engineer Andre Frin. The malicious code, hidden in the liblzma library and requiring the attacker's private key, raises questions about the perpetrator's identity, with suspicions ranging from individual hackers to state-sponsored entities. The incident underscores the importance of vigilance in software security.

Takeaways

  • 🚨 A sophisticated supply chain attack has affected the XZ compression tool, impacting various Linux distributions like Debian, CentOS, and openSUSE.
  • 🔒 The attack introduced a secret back door, allowing unauthorized execution of code on affected machines through the XZ utility.
  • ⚠️ This security breach is considered a Threat Level Midnight 10.0, indicating a critical issue on the CVE RoR scale, surpassing the severity of known bugs like Heartbleed and Shellshock.
  • 🎯 The XZ back door relies on the lzma algorithm, which is widely used in Linux distributions and is also a part of the SSH daemon (sshd).
  • 🤝 The liblzma library, which is compromised, is utilized by many software applications for compression functionalities.
  • 🔍 The malicious code was obfuscated and injected during the build process, modifying the lzma code to enable data interception and manipulation.
  • 🔐 The back door's payload must be signed with the attacker's private key, ensuring that only the attacker can exploit the vulnerability.
  • 💡 The vulnerability was discovered by chance by a software engineer, Andre Frin, who noticed unusual CPU usage while benchmarking on Debian's unstable branch.
  • 🌐 The potential impact could have been disastrous, given that the majority of internet servers run on Linux.
  • 🛑 The attacker's identity remains unknown, with suspicions ranging from an individual to a state-sponsored group, possibly from countries like Russia, North Korea, or the United States.

Q & A

  • What is the main issue discussed in the video?

    -The main issue discussed is a highly sophisticated and carefully planned attack affecting the XZ compression tool, which has been shipped to production and compromised various Linux distributions.

  • How does this attack rank in terms of severity?

    -This attack is considered a Threat Level Midnight 10.0 critical issue on the CVE RoR scale, even higher than famous bugs like Heartbleed, Log4Shell, and ShellShock.

  • Which operating system is mentioned as being unaffected by the XZ back door?

    -Temple OS is mentioned as being unaffected by the XZ back door.

  • What is XY utils and why is it significant in this context?

    -XY utils is a tool for compressing and decompressing streams based on the Lempel-Ziv-Markov chain algorithm (LZMA). It contains a command-line tool installed on most Linux distributions by default and an API library called liblzma, which many other pieces of software depend on for compression.

  • How was the back door discovered?

    -The back door was discovered by pure luck when a software engineer named Andre Marinescu was using the unstable branch of Debian to benchmark PostgreSQL. He noticed that SSH logins were using more CPU resources than normal, which led him to investigate and ultimately identify the issue in XY utils.

  • What is the role of the liblzma library in this security breach?

    -The liblzma library, which is part of XY utils, contains the back door. Malicious code was found in the tarballs of liblzma, which is what most people install. The code is obfuscated and injects a pre-built object disguised as a test file during the build process, allowing the attacker to intercept and modify data that interacts with this library.

  • What is unique about the payload sent to the back door?

    -The payload sent to the back door must be signed by the attacker's private key, meaning only the attacker can send a payload to the back door. This makes it more difficult to test, monitor, and adds a layer of protection for the attacker.

  • Who is suspected of introducing the malicious tarballs?

    -A contributor to the liblzma project named 'gian' is suspected of introducing the malicious tarballs. This individual has been a trusted contributor for the last few years and has been building up trust before attempting this back door.

  • What is the potential impact of this back door on the internet?

    -Since the vast majority of servers that power the internet are Linux-based, this back door could have been a major disaster. However, it was discovered early on, which helped to avoid a potential multi-billion dollar disaster.

  • What is the significance of the name 'Andre Marinescu' in this context?

    -Andre Marinescu is the hero software engineer who discovered the back door while using the unstable branch of Debian. His last name translates to 'friend' in German, which is fitting as he single-handedly helped the world avoid a major disaster.

  • What is the current state of understanding regarding the true identity of the hacker?

    -At this point, it is unclear who is behind the attack. It could be an individual, a group of state-sponsored hackers, or even a rogue state like Russia, North Korea, or the United States.

  • What is the recommended course of action for those using the affected Linux distributions?

    -Users of the affected Linux distributions are advised to upgrade their systems immediately to mitigate the risk and potential impact of the XZ back door.

Outlines

00:00

🚨 Urgent Security Crisis in the Open Source World

The open source community has been thrown into a state of panic due to a highly sophisticated and meticulously planned attack on the XZ compression tool. This supply chain attack has compromised various Linux distributions, including Debian CI, open Suse, and others. Fortunately, Temple OS remains unaffected. The severity of this issue is unprecedented, surpassing even notorious vulnerabilities like Heartbleed and Shellshock. The video aims to explain the workings of the XZ back door and the remarkable story of its accidental discovery. It is crucial for users of the affected Linux distributions to upgrade their systems immediately, as this back door could have led to a catastrophic event had it not been discovered early.

Mindmap

Keywords

💡Open Source

Open source refers to a type of software licensing where the source code is made publicly available for inspection, modification, and enhancement. In the context of the video, the open source community is in a state of panic due to a security breach in a widely used tool, highlighting the importance of open source's collaborative nature in maintaining and securing software.

💡Supply Chain Attack

A supply chain attack is a type of cyber attack where the vulnerability is introduced into a software application through its development, distribution, or management process. In the video, this term is used to describe the infiltration of the XZ compression tool, which is a critical component in the software supply chain of several Linux distributions.

💡Linux Distros

Linux distributions, or distros, are variations of the Linux operating system that are tailored for specific uses, hardware, or user preferences. The video discusses how certain Linux distros, such as Debian and openSUSE, are affected by the security breach in the XZ compression tool.

💡Back Door

A back door in software is a hidden入口 or access point that bypasses normal authentication or security measures, allowing unauthorized access or control. In the video, the discovery of a back door in the XZ compression tool is a critical security issue, as it provides attackers with a covert way to execute code on affected systems.

💡CVE RoR Scale

The CVE RoR (Range of the Vulnerability Ecosystem) Scale is a method for rating the risk posed by a cybersecurity vulnerability based on its impact on the ecosystem. The video emphasizes the severity of the XZ compression tool breach by stating it as a 'Threat Level Midnight 10.0 critical issue on the CVE RoR scale,' which is even higher than other famous bugs like Heartbleed and Shellshock.

💡LZMA

LZMA stands for Lempel-Ziv-Markov chain Algorithm, which is a compression algorithm used by the XZ compression tool. The video explains that the XZ compression tool contains a command-line tool and an API library called liblzma, which is widely used by other software, including SSH, to implement compression.

💡SSH (Secure Shell)

SSH, or Secure Shell, is a protocol that provides a secure channel over an unsecured network for remote login and other secure network services. In the video, the security breach in the XZ compression tool potentially affects SSH because it relies on the liblzma library for compression, which has been compromised.

💡Obfuscation

Obfuscation refers to the process of making code difficult to understand by intentionally making it complex, using misleading names, or employing other techniques to hide its true purpose. In the context of the video, the attackers used obfuscation to hide the malicious code within the XZ compression tool, making it challenging to detect and understand.

💡Private Key

A private key, in the context of cryptography, is a unique piece of data that is used to decrypt or sign messages and transactions. In the video, the back door in the XZ compression tool can only be exploited if the payload sent to it is signed by the attacker's private key, ensuring that only the attacker can send a payload and maintain control over the back door.

💡Andre Frin

Andre Frin is a software engineer who discovered the security breach in the XZ compression tool by accident. His last name, which translates to 'friend' in German, is fitting as he helped the world avoid a major disaster by uncovering the issue.

💡Lassie Colin

Lassie Colin is the maintainer of the liblzma project, which was targeted in the supply chain attack. The malicious tarballs were associated with this project, and while Lassie Colin is not suspected of being involved, the attacker used his project as a means to distribute the compromised XZ compression tool.

Highlights

The open source world is in panic due to a sophisticated attack on the XZ compression tool.

The attack has compromised Linux distributions like Debian, CI, openSUSE, and others.

Temple OS remains unaffected by this security breach.

This incident is considered one of the most well-executed supply chain attacks in history.

The threat level is rated 10.0 on the CVE RoR scale, higher than famous bugs like Heartbleed and Shellshock.

The XZ back door works by injecting a pre-built object disguised as a test file during build time.

The malicious code modifies the lzma code to intercept and alter data interacting with the library.

The payload sent to the back door must be signed by the attacker's private key, limiting access to the creator.

The attacker obfuscated the code to avoid detection, with no obvious characters and a built-in state machine to recognize important strings.

Linux-based servers, which power the majority of the internet, could have been severely impacted by this back door.

Andre Frin, a software engineer, discovered the issue by accident while benchmarking PostgreSQL on an unstable branch of Debian.

SSH logins were using more CPU resources than normal, which initially led Frin to investigate further.

The liblzma project is maintained by Lassie Colin, but the malicious tarballs were passed by giaan, a trusted contributor.

Giaan, or the group behind this, spent years building trust before implementing the back door without notice.

The true identity of the hacker remains unknown, and it is unclear whether it is an individual or a state-sponsored group.

The attack aimed to exploit the popularity and single maintainer status of XZ, making it a sitting duck.

The discovery by Andre Frin helped the world avoid a potential multi-billion dollar disaster.

The story serves as a reminder of the importance of security in open source software and the potential risks of supply chain attacks.

Transcripts

00:00

over the last few days the open source

00:01

world has been in panic mode a highly

00:03

sophisticated and carefully planned

00:05

attack affecting the XZ compression tool

00:08

was shipped to production and it's

00:09

compromised Linux dros like Debian CI

00:12

open Susa and others thank God Temple OS

00:14

is unaffected though and it's quite

00:16

possibly one of the most well executed

00:18

supply chain attacks of all time and

00:19

give some random dude unfettered access

00:21

to execute code on your machine via a

00:24

secret back door this is not your

00:25

everyday security vulnerability it's a

00:27

Threat Level Midnight 10.0 critical

00:29

issue on the cve RoR scale even higher

00:32

than famous bugs like heart bleed log

00:34

for shell and shell shock in today's

00:36

video you'll learn exactly how the XZ

00:38

back door works and the incredible story

00:40

of how it was discovered by accident it

00:42

is April 1st 2024 and you're watching

00:44

the code report unfortunately this is

00:46

not an April Fool's video If you happen

00:48

to be using one of the Linux distros

00:49

listed here you'll want to upgrade

00:51

immediately luckily it only affects a

00:53

very narrow set of dros most of which

00:55

are unstable builds but that's only

00:57

because this back door was discovered by

00:58

pure luck early on more on that in just

01:00

a second let's first take a deep dive

01:02

into this back door XY utils is a tool

01:05

for compressing and decompressing

01:06

streams based on the lle ziv Markoff

01:09

chain algorithm or lzma it contains a

01:11

command line tool that's installed on

01:13

most Linux dros by default which you can

01:15

use right now with the XZ command but

01:17

also contains an API Library called lib

01:19

lzma and many other pieces of software

01:22

depend on this library to implement

01:24

compression one of which is sshd or

01:26

secure shell demon a tool that listens

01:28

to SSH connection

01:30

like when you connect your local machine

01:32

to the terminal on a Cloud Server and

01:34

now here's where the back door comes in

01:35

but keep in mind researchers are still

01:37

figuring out exactly how this thing

01:38

works malicious code was discovered in

01:40

the tarballs of lib lzma which is the

01:43

thing that most people actually install

01:44

that malicious code is not present in

01:46

the source code though it uses a series

01:48

of obfuscations to hide the malicious

01:50

code then at build time it injects a

01:52

pre-built object disguised as a test

01:54

file that lives in the source code it

01:56

modifies specific parts of the lzma code

01:58

which ultimately allows the attach ha ER

02:00

to intercept and modify data that

02:02

interacts with this Library researchers

02:04

have also discovered that any payload

02:06

sent to the back door must be signed by

02:08

the attacker's private key in other

02:09

words the attacker is the only one who

02:11

can send a payload to the back door

02:13

making it more difficult to test and

02:15

monitor and the attacker went to Great

02:16

Lengths to obfuscate the code like it

02:18

contains no asky characters and instead

02:20

has a built-in State machine to

02:22

recognize important strings now because

02:24

the vast majority of servers that power

02:25

the internet are Linux based this back

02:27

door could have been a major disaster

02:29

luckily though a hero software engineer

02:31

named Andre frin was using the unstable

02:34

branch of Debian to Benchmark postgress

02:36

he noticed something weird that most

02:37

people would Overlook SSH logins were

02:39

using up more CPU resources than normal

02:42

initially he thought it was an issue in

02:43

Debian directly but after some

02:45

investigation discovered it was actually

02:47

Upstream in XY utils and that's really

02:49

bad because so many things depend on

02:51

this tool in German his last name

02:52

translates to friend which is fitting

02:54

because he single-handedly helped the

02:56

world avoid a multi-billion dollar

02:58

disaster but who done it who's the a bad

03:00

guy here at this point it's unclear the

03:02

lib lzma project is maintained by Lassie

03:04

Colin however the malicious tarballs are

03:06

assed by giaan a contributor to the

03:08

project this individual has been a

03:10

trusted contributor for the last few

03:12

years but clearly they've been playing

03:14

the long game they spent years building

03:15

up trust before trying the back door and

03:17

nobody even noticed when they made their

03:19

move I say they because we don't know if

03:21

this is an individual or a penetration

03:23

attempt from a rogue State like Russia

03:24

North Korea or the United States here's

03:26

a non-technical analogy imagine there's

03:29

a landlord we'll call him Lassie Colin

03:31

who manages a popular apartment building

03:33

it's a lot of work but this young

03:35

enthusiastic guy has been super helpful

03:37

over the last couple years adding all

03:38

sorts of upgrades and Renovations let's

03:40

call him gatan he does great work but

03:43

he's also been secretly installing

03:44

cameras in the bathrooms which only he

03:46

can access from the internet with his

03:48

password now he would have gotten away

03:49

with it too if it weren't for a pesky

03:51

tenant named andrees who happened to

03:53

notice that his electricity bill was

03:55

just a little bit higher than usual he

03:56

started looking behind the walls and

03:58

found some unexpected wies that led

04:00

right to the unauthorized cameras at

04:02

this point we don't know the true

04:03

identity of the hacker but whoever did

04:05

this was looking to cast a very wide net

04:08

and because it's protected by a secret

04:09

key can only be exploited by one party

04:11

XZ was a Sitting Duck because it's

04:13

extremely popular while also being very

04:15

boring with a single maintainer

04:17

whoever's behind this is either an

04:18

extremely intelligent psychopath or more

04:20

likely a group of state sponsored

04:22

Dimension hopping lizard people hellbent

04:24

on world domination and that's why the

04:25

only drro you should use is Temple OS

04:28

this has been the code report thanks for

04:29

watching watching and I will see you in

04:31

the next one