• Malicious code in open source software XZ Utils revealed a years-long compromise effort to gain remote administrator access to Linux systems. The cyber operation could have resulted in an unprecedented open source supply chain attack and was averted through the accidental discovery by a software engineer.
  • The incident sheds light on the culture of trust and volunteering which underpins open source ecosystems and makes it vulnerable to social engineering, as the backdoor was inserted by a threat actor who, over a period of several years, became entrusted with the sign off on the versions which introduced the malicious code.
  • An imminent shift to strict software liability in the EU, as well as proposed reforms in the US and UK to better protect consumers, reminds organisations of the need to conduct thorough cyber due diligence when deploying software products particularly in relation to open source software elements.

Background

Over the Easter weekend, it has been reported that a data compression library called XZ Utils contained a sophisticated backdoor (vulnerability CVE-2024-3094) which enabled remote code execution. The purpose of XZ Utils is to compress large files, making them easier to transfer. The open source software is commonly shipped as part of most Linux distributions.

Although the added backdoor does not appear to have been widely deployed at the point of discovery, had the malicious code not been identified, initial analysis suggests that its deployment could have had a previously unprecedented, high-scale impact on supply chains. Cyber security reports suggest that the vulnerability could have enabled threat actors to bypass secure shell (sshd) authentication and grant them full administrator access to hundreds of millions of affected systems.

Rated 10 out of 10 in CVSS severity, the XZ Utils backdoor likely constitutes the most critical vulnerability since Log4j, which was widely described as a one of the biggest vulnerabilities to be identified and remained a significant target for cyber attacks throughout 2023. The Irish National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) both issued urgent alerts (see here and here) advising impacted organisations to revert to the prior version of XZ Utils. The UK NCSC does not appear to have made a statement yet. It is speculated that due to the subtle and sophisticated nature of the backdoor and the level of planning involved, the operation may have been conducted by state-sponsored actors, though this remains unconfirmed.

Concerns over misuse of open source software's crowdsourced approach

Open source software is used across the software ecosystem and as such, security issues in open source software can have a global impact. When an open source programmer deleted eleven lines of code called "left-pad" in 2016, it briefly broke workflows in JavaScript, a widely used programming language, including in many websites.

XZ Utils and the Linux distributions that include it are examples of open source software that can be developed, re-purposed and maintained by anyone – although there is a process for maintaining key pieces of popular software. Through what is believed to have been a concentrated effort of social engineering, the XZ Utils founder was apparently targeted by several (possibly fake) accounts who complained of bugs and slow development. The XZ Utils founder was pressured to relinquish control over the project and eventually granted commit access and maintainership to a user called JiaT75. The failed operation underlines the persistence of threat actors and the length to which they go to conceal their actions, as JiaT75 ostensibly worked as a conscientious and effective contributor to XZ Utils for years to build up credibility before being granted higher rights which allowed them to insert the vulnerability. On the other hand, the attack also highlights the benefit of open source software. Due to the public distribution of the source code, anyone can identify and warn of vulnerabilities, including the German software engineer who identified that a component of XZ Utils required an abnormal amount of processing power, thereby inadvertently discovering the backdoor. The incident highlights the much-repeated need for vigilance when using open-source software and the need to be mindful of the human element, which is often exploited by threat actors in cyber attacks.

The challenge of software liability and the importance of cyber due diligence

The XZ Utils attack comes amid debates about software liability in the US and the EU. Neither jurisdiction imposes strict liability as regards software security and historically security obligations were mostly to be found in contracts between vendors and suppliers, unless the sector in question was covered by a specific regulatory regime.

However, the US government's National Cybersecurity Strategy calls for shifting liability for insecure software and advocates for a punitive approach for those who fail to take "reasonable precautions". Whilst it is not yet clear whether the proposed shift would entail a substantial change in liability law, the strategy's focus nevertheless indicates that strict liability is being discussed.

In the EU, a proposed new Product Liability Directive sparked debate by including certain "software" e.g. operating systems, firmware and computer programs in its scope. Whilst free open source software seems to have been excluded from the directive, if elements of open source software such as XZ Utils are incorporated into in-scope "software", the directive's proposed strict liability regime would apply. The directive is targeted to enter into force in 2024, with software producers having to comply from 2026. Though the directive would not apply in the UK, the UK Government has recently announced that it would review the General Product Safety Regulations and held a consultation which closed in October 2023. It is not yet clear to what extent any new proposals would extend to software.

The XZ Utils attack serves as a timely reminder of the need for organisations to conduct thorough cyber due diligence across their systems and software, and the need to consider supply chain risk. Staying abreast of important software updates, vulnerability warnings and patching policies has never been more important given the interlinked nature of certain parts of the software ecosystem.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.