April 3, 2024 at 07:12AM
An XZ Utils backdoor, reminiscent of a 2020 F-Droid attempt, highlighted the trend of targeting open source software. Jia Tan, posing as a legitimate developer, embedded a backdoor for remote code execution via Linux systems. Collin’s investigation promises more details, as experts predict further supply chain attacks in open source software.
From the meeting notes, it’s clear that the recent discovery of the XZ Utils backdoor has reminded a developer from the F-Droid open source Android app repository of a similar incident that occurred a few years ago. The backdoor in the Liblzma (XZ Utils) data compression library, discovered by PostgreSQL maintainer Andres Freund, enabled remote code execution on vulnerable Linux systems and introduced the CVE-2024-3094 vulnerability.
Furthermore, Hans-Christoph Steiner, a maintainer of F-Droid, recalled a similar story from 2020, involving an attempted addition of a SQL injection vulnerability. Despite some claiming it may have been an honest mistake, Steiner disagrees and believes it could have been a deliberate attempt to insert the vulnerability.
The investigation into the XZ Utils incident revealed that the backdoor was added by an individual named Jia Tan, with indications of fake accounts being created to pressure the main developer, Lasse Collin, into merging patches. Jia Tan’s contributions and subsequent modifications were likely in preparation for the backdoor, which was added in February 2024.
Dan Lorenc, a software supply chain security expert and CEO of Chainguard, warned about the likelihood of long-term open source software supply chain attacks by government hacking teams.
This incident raises concerns about the security of open source software and the potential for similar supply chain attacks in the future. The executive will continue to monitor developments and share details of the investigation in the coming days.