What we know about the xz Utils backdoor that almost infected the world
Discovery and Exploit Mechanics
- The backdoor was found incidentally via odd Valgrind behavior and performance regressions in SSH; people note this was largely luck, not systematic review.
- Backdoor path: xz → liblzma → libsystemd (or other consumers) → sshd, via dynamic linking and glibc IFUNC plus audit hooks to hijack RSA-related calls.
- The malicious payload was hidden in test artifacts and build scripts, triggered only in .deb/.rpm build environments and when loaded into sshd at runtime, with checks to evade debugging and non-“natural” starts.
- Clarification that OpenSSH itself doesn’t use xz directly; distro-specific patches and transitive dependencies enabled the attack path.
Attribution and Attacker Profile
- Heavy debate whether the attacker was a lone, highly motivated individual versus a state-backed or contracted team.
- Some participants analyze commit timestamps and time zones, suggesting deliberate obfuscation and day-job-like work patterns, but attribution remains explicitly “unclear.”
- Many note multiple plausible states or non-state groups; others warn against over-focusing on any nationality without evidence.
Maintainer Handoff and Social Engineering
- The original xz maintainer was overworked and unwell; a new contributor gradually gained trust, took on more work, and effectively became de facto maintainer.
- Discussion highlights gaslighting‑style pressure, “helper” rhetoric, and long-term relationship building as part of a coordinated social attack.
- Several argue that knowing someone personally or via calls is not a reliable safeguard, though others think in‑person or video presence raises the bar.
Impact and Distribution Scope
- Backdoored versions shipped for weeks in some rolling-release distros (e.g., Arch-derived, Gentoo, openSUSE Tumbleweed), but payload logic only targeted deb/rpm-style builds; many believe it never reached the widest “enterprise” deployments.
- Some worry the real objectives may already have been met, especially on developer or security-focused distros; others think exposing it now massively increases scrutiny and deterrence.
Supply Chain and Tooling Lessons
- Strong criticism of autotools and giant generated
configurescripts: opaque, hard to review, and ideal hiding places for malicious logic. - Suggestions:
- Stop shipping source tarballs that differ from VCS; or at least verify tarballs are reproducible from git.
- Commit all compiler inputs, or enforce that generated artifacts are reproducible and checked in CI.
- Test build scripts themselves and treat unusual Valgrind/ASan/CI failures as potential red flags.
Dependencies, Systemd, and Attack Surface
- Repeated concern that libsystemd (and similar “kitchen sink” libs) are large, complex, and pulled in transitively for small features like startup notification.
- Some argue systemd is unfairly scapegoated; alternatives (libc, libnss, SELinux, other ubiquitous libs) could have been abused similarly.
- Ideas floated: dlopen compressors to narrow when libraries are loaded; minimize base OS and push more into containers; reduce unnecessary dependencies and avoid “one big library for everything.”
Open Source Model, Funding, and Governance
- Diverging interpretations:
- One camp says this demonstrates open source works because the bug was ultimately found and analyzed quickly.
- Another calls it a “massive failure” of the OSS model, especially around trust, single‑maintainer projects, and social attack resistance.
- Broad agreement that critical libraries with huge installation bases should not be maintained by an underfunded individual; calls for sustained funding and institutional support.
- Debate over whether governments or large companies will respond by:
- Investing more in OSS maintenance and audits, versus
- Retreating into proprietary software and “security theater” vendors.
- Some propose formal vetting or “KYB/KYC‑like” practices for core maintainers, others argue this is impractical, biased, and shifts blame from downstream users who choose dependencies.
Future Defenses and Open Questions
- Proposed improvements include: formal verification for core components, deterministic and signed builds, better static analysis, LLM‑assisted review, richer dependency graphs, and stricter separation of test resources from production code.
- Network-layer mitigations (e.g., IP whitelisting, port knocking) are noted as effective in limiting exploitability of an sshd backdoor, though framed as only one defense layer.
- Many expect more similar backdoors to be uncovered as projects re‑audit history; some speculate successful past attacks may already have been quietly “cleaned up.”