HACKING
In late March, Microsoft software engineer Andres Freund noticed a tiny delay when logging in via SSH, and uncovered a mysterious back door.
In late March 2024, Microsoft software engineer Andres Freund was flying home to San Francisco from his native Germany. He’d been doing some micro benchmarking and saw that his system’s sshd processes were using an unusual amount of CPU resources. This in turn was generating a number of errors in Valgrind.
Andres explored further, finding this was caused by error messages centred around liblzma, one of the major components of XZ Utils along with xz itself. The source code for both of these are publicly available via GitHub, as are the associated binaries. XZ Utils can be found in almost every version of Linux, given that it provides lossless data compression.
Freund initially believed that this issue only affected his own OS (Debian Sid). After more careful investigation, he discovered that in fact the upstream xz repository and the xz tarballs had been back-doored. This back door affected versions 5.6.0 and 5.6.1 of XZ Utils and worked via additions to the configure script in the TAR files, making it very difficult to detect.
The implications of this would have been that any server using this version of XZ Utils and running SSH could potentially be accessed using a special private key. In the event, the vulnerability was patched within hours but had it remained undetected, it would almost certainly have found its way into popular upcoming server distros, such as Debian 13 and Ubuntu 24.04.
