[EN] My thoughts on xz backdoor
On March 29th, 2024, Microsoft engineer Andres Freund discovered a backdoor in the XZ compression tool used in Linux distributions. The backdoor was allegedly added by a developer known online as Jia Tan over the course of two years, with contributions taking place at regular weekly intervals as part of a 9-5 job. Jia Tan had also urged developers to add the compromised XZ feature to newer versions of Fedora.
The backdoor allows unauthorized access to systems running the affected software, potentially giving attackers full control over the compromised system. It was added to the XZ Utils codebase in version 5.6.0 and was present in subsequent versions until it was discovered and patched.
The payload works by modifying the SSH authentication process, allowing an attacker to bypass normal authentication methods and gain root access to the system when a specific and hardcoded RSA key is used.
This incident is unfortunate but predictable, given the state of open-source software maintenance. Many open-source projects are poorly maintained, with developers working on them in their spare time without any financial support. This lack of resources and attention makes it easier for bad actors to infiltrate and introduce malicious code.
While open-source software has many benefits, such as transparency and community involvement, it also requires serious investment and maintenance to ensure its security and reliability. It's crucial that the community and even countries provide funding for open-source projects without any engagement or strings attached. This will allow developers to focus on maintaining and improving the software without worrying about financial constraints.
In the case of the XZ utils backdoor, it's fortunate that Andres Freund discovered it before it could cause significant damage. However, this incident should serve as a wake-up call for the open-source community to prioritize maintenance and security.