The XZ backdoor was one of the greatest potential supply chain attacks that could’ve happened. The backdoor was built into the XZ-Utils package for many linux-based computer operating systems. Linux is a very popular open source operating system for devices primarily in enterprise server environments. XZ-Utils is commonly used for compression of data but isn’t used by most users these days as the more common zip format is significantly faster & better for file compression.
However, the very common Secure-Shell Protocol (SSH) (Used for connecting to a remote machine) uses XZ Compression to negotiate connections between machines. SSH is an industry standard for connecting to machines, as it gives you command-line access to your Linux Machine(s). This is why XZ-Utils was chosen as a target for exploitation.
The original maintainer of the XZ-Utils package, Lasse Colin had passed on access to Jia Tan around 2 to 2.5 years ago. Lasse had said on numerous forums that he was no longer interested in maintaining XZ-Utils as much and had stopped updating. Jia Tan, which is an alias as far as we know would start contributing to XZ-Utils, allowing the main maintainer, Lasse Colin to review their changes and commit them to the main codebase. Eventually Colin would pass access onto Jia, allowing Jia the ability to write his changes and commit them directly to the main codebase. Over the 2+ years Jia had access he never actually wrote any malicious changes. Since the entirety of the Linux ideology is making everything open source to everyone, anyone can view changes made, compare them to other changes and more. Writing anything malicious directly to the code repository would be picked up extremely quickly.
Since no malicious changes were made, how was there a vulnerability in the first place? After it was discovered by Andres Freund, a Microsoft Developer who was testing an unstable pre-release branch of Debian, a popular fork of Linux, noticed that his SSH Process was using a significantly large amount of processor time than normal the community got to digging. Major Linux Distributions (Debian, Fedora, Ubuntu, among others) reverted to an older version of XZ Utils and people found the backdoor.
When compiling most machine code, a tool known as CMake is used, inside the compile instructions a singular . was included in the check for “landlock sandboxing support” this made it so whenever the code was compiled it would say that the check for landlock support was absent. This would allow the adding of data to the compiled code to which Jia Tan exploited.
If Freund never discovered the vulnerability, anything could’ve happened. The actual malicious part of the backdoor was that any and ALL data sent between the client and server was read by Jia Tan’s malware. The worst part of it all? We don’t know who Jia Tan is and if it was a single person or a team of people, or even worse a government or state funded entity. Read more about it here: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27