🚨 On the XZ Utils Backdoor (CVE-2024-3094): FOSS Delivered on its Pitfalls and Strengths

The newly discovered backdoor[1] in the XZ Utils package[2] affecting numerous Linux distributions[3] and assigned CVE-2024-3094[4] is being dismissed by some members of the technology and security communities as yet another supply chain attack; relevant only because of how blatant it was and that it affected the Open Source ecosystem but in essence nothing out of the ordinary. Regardless of whether this perspective is gaining traction due to cynicism, as hyperbole for clicks or as a coping mechanism, I vehemently disagree with that stance.

Original report by Andres Freund on the Openwall oss-Security mailing list [1]

Furthermore, the fact it was possible for this to occur is being used in online conversations to highlight the weaknesses of Free and Open Source Software(FOSS), but, and although that is very much necessary and intellectually honest, we also ought to highlight how the transparency inherent to FOSS made the discovery even possible in the first place.

Discussion

This article was discussed on Reddit and Tildes.net. Feel free to let me know in case I ought to include any other conversations related to this publication.

Unlike previous Supply Chain Attacks

This particular instance is novel in that it provides clear, undeniable proof to skeptics that there is, and there will always be, on-going concerted efforts to undermine the software as well as communities we patiently build, enjoy, and rely on; on a big, pervasive scale and not a hyper-targeted, STUXNET-like[5] scale. Furthermore, it offers a public and loud revindication to those who have long believed utmost paranoia in Free and Open Source Software has always been warranted.

This is an observation those of us who see software, and FOSS in particular, as an enabling and empowering force ought always to remember, relentlessly broadcast and uncompromisingly discuss at length. Once again, power players, whereas state actors or inescrupulous technologists-for-pay, have turned up the heat on the proverbial frog, this time, and who knows how often before, being bolder and more ambitious.

As to what can be learned from the events that have unfolded over the past two years since Jia Tan started their involvolvement with the XZ project, those conversations are still unfolding and will be for quite a while. There is, however, a crucial remark I’d like to make: this situation should not be equated with Heartbleed[6], the SolarWinds’ compromise (SUNBURST and SUPERNOVA[7]), nor the behavior of Leftpad’s disgruntled maintainer[8]; all those are tangentially related but not equivalent as is often being portrayed.

Heartbleed was a bug which, according to some, could have been introduced by malice, but there was never definitive proof it was a deliberate attempt at attacking the backbone of our present-day internet. SolarWinds’s compromise was a run-of-the-mill supply chain attack which, albeit well-planed and executed, was shrouded in secrecy due to its considerable blast radius both in governmental and corporate circles and therefore was not fully transparent to the public. leftpad led us to question and consider dependency-creep and single maintainers as additional risks for FOSS communities and software which ought to be dependable. The liblzma situation, however, is very particular in that it occurred out in the open for everyone to see and highlights what became apparent with leftpad at the time: the community is FOSS’ greatest weakness and at the same time its greatest source of strength.

Fundamentally, CVE-2024-3094 constitutes a breach of trust and is in essence the result of a simple but effective and long-running social engineering attack.

Communities are Central to FOSS

CVE-2024-3094, as the XZ Utils liblzma backdoor has been numbered, should make us all scrutinize the community, culture and incentive aspects of FOSS and consider how those are inextricably linked to the security of code produced under its flag. Moreover, it also serves as a stark reminder to everyone, whether tech-literate or not, that malicious actors are after the very infrastructure that powers the private and public spheres of our lives, even when, as some like to believe, “there’s nothing to hide”.

Engineering Culture

Debian Stable[9][10] and projects with a similar approach to progress as well as community-building are showing how, under certain circumstances, moving slowly is not a bug but a feature. Common attacks and retorts such as “their community is anachronistic and their software generally old, slow-evolving, lacking features and only security fixes are eventually backported” should become, I hope, increasingly irrelevant going forward or at least face greater resistance.

Similarly, for long-time opponents of “move fast, break things” and similar attitudes, this particular event should make their position much more palatable to management and customers throughout the tech industry. At least, this will help make the risks associated with adopting a velocity-first and robustness-second mindset more material.

Dangers and Opportunities exclusive to FOSS

Finally, although this might be indeed a FOSS-exclusive or FOSS-adjacent kind of risk that ultimately materialized, as some would like to call it, it’s nevertheless also an issue where checks and balances that are only intrinsically possible in FOSS worked as expected and needed. Yes, there was an element of luck in the discovery of CVE-20240-3094, but it is undeniable source code availability and other FOSS customs tipped the scale in the community’s favor. The community aspect of FOSS led to the risk materializing, the community aspect of FOSS led to its discovery and the community aspect of FOSS will lead its resolution and dealing with the aftermath.

TL;DR:

The XY Utils incident should help us shift the Overton Window[11] with regard to healthy FOSS communities as well as what those, we, should deem sustainable engineering practices; hopefully ones less focused on individual sacrifice and project velocity in favor of soft and hard pre-requisites for software dependability. I am convinced this is a conversation we must keep alive and that there’s much to be gained if we engage in and drive conversations surrounding the security of Free and Open Source Software, its approach to community-building and symbiotic relationships with corporations.

Final Words

I hope this brief reflection offers some food for thought and, as always, don’t hesitate to share your feedback with me via social media or email.

Footnotes

[1] (1,2)

https://www.openwall.com/lists/oss-security/2024/03/29/4

[2]

tukaani-project/xz

[3]

https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

[4]

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

[5]

https://en.wikipedia.org/wiki/Stuxnet

[6]

https://en.wikipedia.org/wiki/Heartbleed

[7]

https://en.wikipedia.org/wiki/SolarWinds#SUNBURST

[8]

https://www.theregister.com/2016/03/23/npm_left_pad_chaos/

[9]

https://lists.debian.org/debian-security-announce/2024/msg00057.html

[10]

https://security-tracker.debian.org/tracker/CVE-2024-3094

[11]

https://en.wikipedia.org/wiki/Overton_window

🌱 Main Information Sources and Entertainment   ✍️ Interesting Blogs