It’s official — CVE-2024-3094 is the “Backdoor in XZ Utils That Almost Happened“. Fortunately, the malware was detected before we released the compromised version as an official update. If you are using a Fedora Linux 38 or 39, or an up-to-date Fedora Linux 40 Beta, you should be all set, and the upcoming Fedora Linux 40 final release is not affected.
The XZ backdoor is a devious piece of work. It affects the SSH remote login protocol, which has a feature where users can be authenticated using a public-private key pair. The exploit sneaks a public key right into the allow-list, so someone out there with the corresponding key could log in to a compromised machine with full root access — without a trace. We have no evidence that the attackers ever got a chance to take advantage of this, but if the malware had slipped by undetected, it could have been devastating.
Fortunately, the plot was foiled by Andres Freund while doing volunteer work in his spare time. He noticed that there was a slight change in performance, and decided to investigate. One of my Fedora friends quoted John Denver: “What one man can do is change the world and make it work again! Here you see what one man can do.”
If you have a system with the Fedora Linux 40 Beta or Fedora Rawhide, and you applied updates during the time the compromised package was in our updates-testing repository, you should check to make sure that it is now reverted, and apply current updates if not. (You should have xz-5.4.6, as of this post.) On Fedora Workstation systems, the ssh daemon does not run by default, which additionally limits possible risk. However, if you did have the bad update on a system, or think you might have, we recommend a full reinstall out of an abundance of caution.
Fedora Linux 38 and 39 never had even a candidate update for the compromised package, and we pulled the test update for 40, so it was never merged into the release.
null_pointer
In the digital era, acts like this are cyberterrorism. Jia Tan, if that person exists as such, should be imprisoned.
Stuart Gathman
Should Ken Thompson be thrown in jail for his backdoor in the C compiler that added a root password known only to him when compiling login.c ?
In his case, he was the expert on call. One can only imagine nefarious motivations for Jia Tan, but jail is over used in Western society. E.g. in the Law of Moses, it was execution for capital crimes, or restitution for other crimes. We use prison as a substitute for execution – mainly because sometimes (way too often, in fact) the court gets it wrong and the wrong man is put to death. Prison for economic crimes is counter productive for all involved.
So are the nefarious plans that we are imagining for Jia Tan a plot to kill people? To steal stuff? Maybe the sense of power just being able to log in to any openssh server in the world? Does that rise to level of the death penalty? (Or it’s prison substitute?)
Pawel
Nobody cares about ‘law of moses’. Anyone who violates other people’s privacy must pay for it. I would start from Microsoft, Apple and NSA of course.
Stuart Gathman
Actually, by nipping this exploit in the bud, we have probably saved the life of “Jia Tan”. IMO the most likely motivation is that governments pay good money for zero day exploits on the black market. These same governments tend to “off” the vendor when they want to ensure the exploit is not sold again to another client. (Not always – the market dries up if all the exploit vendors get “offed”.)
I may be wrong, but I think bounty programs for verified exploits help mitigate the temptation of the black market. It may be less money than the black market, but your conscience doesn’t bother you, and is doesn’t result in fear of assassination by a state.
hammerhead corvette
I think as a community, We REALLY need to be more involved in the development of the tools we use. We need to support these projects with our time and donations.
Hooray for Freedom. Hooray for Open Source
Tomi
Has xz-5.4.6 been stripped of all commits from Jia Tan or only the one triggering the backdoor that has been found.
If not how confident are Fedora maintainers that there is no other backdoor in xz code from the +2years of commits from Jia Tan?
Gregory Bartholomew
Many experts (including the original author of XZ himself) have thoroughly reviewed the few commits that Jia Tan submitted. It is extremely unlikely that anything nefarious remains in the code at this point.
Tomi
Thanks Gregory
W
One concern I have is that we tend to review issues like this as individual packages and repos. But, that’s not how the world works. Our computers don’t use a single package. They used hundred of interconnected packages and libraries.
It’s entirely possible something small was done in one to weaken it, or cause a chain reaction that could be taken advantage of in another, but wouldn’t be obvious if you looked at either one.
I don’t have any solutions here, just thinking out loud, I guess.
Jean-Pierre White
This is Linux’s “Guy Fawkes” moment. Disaster was foiled at the last minute.
I wonder if we should (digitally) burn the effigy of Jia Tan every March 29th? Somehow “Remember Remember the 29th of March doesn’t quite roll off the tongue.
Pete Bremer
Maybe this is our modern digital Ides of March, where we were all nearly stabbed in the back by a bad actor or actors.