It’s a Perfect 10! Meet The XZ Backdoor
We have had four highly successful spin-outs in cyberecurity, and have a new spin-out happening in the next few months — True Deploy. What’s their focus? Well, its to make code software supply chains more trustworthy, as a single backdoor in a third-party library could bring down an entire software infrastructure. More information on True Deploy is here:
It’s a Perfect 10
I love the Spinal Tap movie, and my favourite scene is where we see an amp that goes up to 11:
This makes me smile, as when Heartbleed happened, Bruce Schneier was quoted as saying, “On a scale of 1 to 10, this is an 11”. It was an obvious nod to Spinal Tap, and his viewpoint was that Heartbleed affected not only servers that could be patched but the billions of devices that could not.
And, so, the majority of our digital world is not made up of Microsoft Windows, but of Linux. It powers most of our servers and is embedded into many of our smart devices. Now a new backdoor in XZ utils has been rated at the highest possible risk rating [here]:
The backdoor
The backdoor was discovered within the tarballs of XZ (from Version 5.6.0 onwards), and was obfuscated so that it could avoid detection. This is then used to modify code within the liblzma library, and where it can intercept and modify data. One significant finding is that the OpenSSH daemon was affected by the backdoor, even though it did not directly link to liblzma.
Overall, the xz code allows for the creation of an XZ file and which integrates data streams and blocks, and supports a fast random access when reading. This is not supported within the lzma module, and which has to read all the previous blocks in a random access query. An example from here is:
>>> with xz.open('example.xz') as fin:
... fin.read(18)
... fin.stream_boundaries # 2 streams
... fin.block_boundaries # 4 blocks in first stream, 2 blocks in second stream
... fin.seek(1000)
... fin.read(31)
...
b'Hello, world! \xf0\x9f\x91\x8b'
[0, 2000]
[0, 500, 1000, 1500, 2000, 3000]
1000
b'\xe2\x9c\xa8 Random access is fast! \xf0\x9f\x9a\x80'Many of the related GitHub repositories for xz have been either taken offline or disabled [here]:
Conclusions
Not much to say here. It’s a 10, so patch if you need to.
