Unpacking the XZ Backdoor: A Stealthy Linux Security Threat

Picture of Alexander Kyumurkov
Alexander Kyumurkov
DevOps and Cloud Engineer
Reading time: 3 mins.
Last Updated: 26.04.2024

Table of Contents

In late February, the cybersecurity world uncovered a highly sophisticated attempt to compromise Linux systems by exploiting vulnerabilities in open-source software. Unlike typical attacks that seek out security flaws or leverage misconfigurations, this one targeted ssh, a core component commonly used to manage Linux servers. The threat involved a strategic manipulation of the free and open-source software (FOSS) ecosystem, which offers “freedom” and “free of charge” benefits, to facilitate the attack.

The genesis of the attack traces back to 2021 when a user named Jia Tan, under the GitHub account JiaT75, began contributing to a widely used but seemingly innocuous compression library, liblzma. Over time, Jia Tan gained the trust of Lasse Collins, the original developer who had been single-handedly maintaining the xz project since its inception between 2005 and 2008. As the project’s responsibilities became more, equivalent to an unpaid second job, Tan leveraged this trust to elevate his privileges in the repository.

In parallel, alleged sock-puppet accounts associated with Jia Tan bombarded Collins with demands and criticisms, leading to a significant decline in Collins’ mental health. This calculated psychological pressure ultimately coerced Collins into relinquishing control of the repository to Tan, marking the first critical step in the backdoor implementation.

With control of the xz utils repository, the attackers exploited the “free as freedom” aspect of FOSS to introduce malicious code into the project. This part of the operation showcased the attackers’ cunning, as they injected the backdoor into a location controlled by security experts and automated tools. However, vulnerabilities in small, single-maintainer FOSS projects often go unnoticed despite their widespread use in commercial applications.

The infection chain was elaborate and designed to remain hidden. It involved code obfuscation and modifying build scripts to include compromised objects while simultaneously adding these to the .gitignore file, preventing them from being easily detected. Notably, the attackers manipulated the CMakeLists.txt file to sabotage the sandbox check, disabling crucial security mechanisms.

When a system compiled the infected liblzma, the library was loaded into the sshd daemon. It then intercepted specific ssh connections using a pre-configured public ssh key, enabling remote code execution—a severe security breach with a risk level of 10/10.

The backdoor was discovered somewhat fortuitously by Andres Freund, a Microsoft Postgres developer, who was investigating abnormally slow SSH connections. This incident underscores the critical importance of robust security practices, such as implementing IDS or IPS systems to monitor and block suspicious inbound traffic.

To determine if your system has been compromised by the XZ backdoor, you can use the following commands:

  • Check for the infected library version:


    strings $(which xz) | grep '5\.6\.[01]'
    • Verify if OpenSSH loads the liblzma library:


    lsof -p $(ps -aux | grep 'sshd' | grep 'listener' | awk '{print $2}') | grep '\.so' | grep 'liblzma'

    If these checks confirm the presence of the compromised versions, immediate action is necessary to secure your systems.

    For more detailed insights and methodologies of this backdoor exploit, please refer to Thomas Roccia’s infographic.

    The XZ backdoor episode is a stark reminder of the vulnerabilities inherent in the open-source ecosystem and the need for vigilant, multi-layered security approaches. By staying informed and proactive, developers and administrators can better protect their systems against such insidious threats.

      Leave a Reply

      Your email address will not be published. Required fields are marked *

      More Posts

      This guide will walk you through deploying multiple AWS Lambda functions using Pulumi, an infrastructure as code tool that allows you to define and manage cloud resources using familiar programming...
      Day 3 of Kubecon Day 3 of KubeCon + CloudNativeCon in Paris was a spring of fresh ideas, sustainability discussions, and ever-evolving cloud-native technologies. Here’s a deep dive into the...
      Get In Touch
      ITGix provides you with expert consultancy and tailored DevOps services to accelerate your business growth.
      Newsletter for
      Tech Experts
      Join 12,000+ business leaders and engineers who receive blogs, e-Books, and case studies on emerging technology.