VSHN.timer #223: An Exozodiacal Threat

Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.

This week we’re going to talk about CVE-2024-3094, the unprecedented computer security scare of the decade that was discovered thanks to the curiosity and grit of a PostgreSQL engineer.

1. Andres Freund, a software engineer working for Microsoft on the PostgreSQL project (and who has now become an unsuspecting hero in computer-literati circles), reported the discovery of compromised tarballs in the xz repository on March 29th, 2024, a date which, paraphrasing Franklin D. Roosevelt, will live in infamy.

https://www.openwall.com/lists/oss-security/2024/03/29/4

2. Over a period of over two years, an attacker using the name “Jia Tan” worked as a diligent, effective contributor to the xz compression library, eventually being granted commit access and maintainership. Using that access, they installed a very subtle, carefully hidden backdoor into liblzma. The attack appears to be the first serious (known) supply chain attack on widely used open source software. It marks a watershed moment in open source supply chain security, for better or worse. This timeline provides a complete history of the attack in chronological order.

https://research.swtch.com/xz-timeline

3. Who is “Jia Tan”? The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code. Andy Greenberg and Matt Burgess lead the investigation in this Wired article.

https://www.wired.com/story/jia-tan-xz-backdoor/

4. The timing of the attack was carefully selected; among the affected Linux distributions, two of them (and, needless to say, among the most popular!) had scheduled major releases later this month: Fedora 40 and Ubuntu 24.04 LTS. Both Red Hat and Canonical have issued corresponding notifications to their users, and it is strongly recommended to stop using the preview versions of both operating systems until further notice.

https://linuxiac.com/ubuntu-24-04-lts-beta-release-postponed-due-to-security-concerns/

5. The VSHN.timer project of the week is amlweems/xzbot, featuring an exploration of the xz backdoor including: a honeypot; an ed448 patch to use our own ED448 public key; the explanation of the backdoor format; and a backdoor demo.

https://github.com/amlweems/xzbot

Were you affected in any way by this backdoor? Are you assessing the risks brought by your platforms’ software supply chains? Would you like to share some security tips and tricks with our readers? Get in touch with us, and see you next week for another edition of VSHN.timer.

As a personal note, I’d like to announce this will be the last VSHN.timer with my signature, and for that reason I wanted to thank you for your support, fidelity, and kind words during all these years. It was my privilege to keep you updated on all things Cloud Native and Kubernetes every week. All the best and see you around! 🙂

PS: check out our previous VSHN.timer editions about security: #8, #17, #22, #27, #32, #44, #54, #62, #76, #84, #93, #106, #117, #128, #142, #145, #164, #169, #182, and #203.

PS²: do you prefer reading VSHN.timer in your favorite RSS reader? Subscribe to this feed.

PS³: would you like to receive VSHN.timer every Monday in your inbox? Sign up for our weekly VSHN.timer newsletter.