I had to ask AI:
AI Overview
The XZ library hack (officially CVE-2024-3094) was a highly sophisticated supply chain attack targeting XZ Utils, a widespread data compression tool used in nearly all Linux distributions. Discovered in late March 2024, the attack involved a malicious backdoor that could have granted attackers unauthorized remote code execution (RCE) with administrative privileges across millions of servers worldwide.
Key Details of the Incident
Target: The malicious code was embedded in XZ Utils versions 5.6.0 and 5.6.1. Specifically, it compromised the liblzma library, which many systems link to for SSH (OpenSSH) support.
The Culprit: A persona named Jia Tan (JiaT75) spent over two years building trust within the open-source community. By contributing legitimate code and pressure-campaigning the original exhausted maintainer, they eventually gained “co-maintainer” status and the ability to commit malicious changes.
Discovery: The hack was accidentally discovered by Microsoft engineer Andres Freund. While testing an unstable version of Debian, he noticed a tiny performance lag—a roughly 500ms delay in SSH logins—and investigated until he found the hidden exploit.
The Exploit: The backdoor was designed to recognize a specific private key sent during an SSH login attempt. If the key matched, the code would execute commands from the attacker as root, completely bypassing standard authentication.
Why It Was So Dangerous
Sophisticated Hiding: The malicious code was not visible in the source code; it was hidden inside binary “test” files used during the build process.
Critical Impact: It received the highest possible severity score (CVSS 10.0). If it hadn’t been caught early, it would have been integrated into stable releases of major Linux distributions like Red Hat and Ubuntu, potentially compromising global internet infrastructure.
Targeted Systems: The attack primarily affected systemd-based Linux distributions (like Fedora, Debian Testing, and Kali Linux) because they patch OpenSSH to link with liblzma.
Current Status & Protection
Affected Versions: XZ Utils 5.6.0 and 5.6.1.
Action Required: Users of affected Linux distributions (mostly rolling-release or “bleeding edge” versions) should downgrade to XZ 5.4.x or upgrade to the patched version provided by their vendor.
Impacted Distributions: While the code was found in Fedora Rawhide, Debian Unstable, and some versions of Kali and Arch Linux, it did not reach stable versions of most major enterprise distributions like RHEL or Ubuntu Stable.
Yep...and if you know low level software, I encourage you to read about the technical details. How they accomplished the backdoor is extreme.
There’s YouTube videos on it.
I have worked with Andres, and I take issue with the assertion that it was “accidentally” discovered.
It was discovered because he took the time to investigate something that smelled wrong. He did not have to do that, but he did.
If you think that there are not hundreds of other similar undiscovered exploits both in Linux and Windows I have a bridge in Brooklyn to sell you. If you pay me extra I will wrap it up into a tarball and zip it up for you.