top of page

Supply chain attack against open source?

repository compromise

Supply chain attack of the year already? Is the open-source process vulnerable to state-sponsored subversion?

It's been all over the news already: A backdoor was planted in an open-source project called xz, a compression library widely used across the Linux ecosystem, one on which OpenSSH depends (see more on HelpNetSecurity Blog and JFrog Blog.)

Specifically, the backdoor targets the SSH process by potentially allowing remote code execution on countless publicly exposed servers worldwide.

Source code repository compromise is not a new tactic, but this one stands out for several reasons:

  • Only owners of a specific private key could execute code on backdoored servers: the backdoor does not allow indiscriminate exploiting by the public, as is the case when typical zero-day bugs are discovered. This is an authenticated backdoor for exclusive use by a specific threat actor only!

  • The attackers have been working for more than 2 years to infiltrate the project and get the necessary trust and privileges from the existing maintainer, slowly taking over the repository and setting up the prerequisites. A long-term and determined effort!

  • The incident reveals how fragile the open-source process is, and how easy it is to subvert it. The backdoored binaries made it to several Linux distribution providers (although mostly test/experimental ones), including Fedora, Debian, Kali, and others. Leading and stable distributions such as Red Hat Enterprise Linux were not affected, but one wonders what would have happened had the backdoor been discovered at a later stage (it was discovered by chance by a PostgreSQL developer working at Microsoft).

  • One of the key arguments for open source is that it promises more secure development through more prying eyes and transparency. However, the incident reveals it is possible to hide malicious intent in plain sight, even when software is developed on public open-source repositories.

  • The good news is that the open-source process and availability of the backdoor now allow the community to learn from the techniques used to obfuscate the whole process, including hiding malicious code in tarballs and binaries, avoiding the Git repository, etc. That should inform all Linux vendors and providers.

Finally, it is entirely probable that open-source projects are infiltrated by fake personas on a massive scale, introducing deliberate bugs or backdoors into key libraries. It is almost certain this is not an isolated incident. After all, compromising public code repositories is cheap, can be done remotely, and can be done anonymously. Many stakeholders can and will attempt it, as the bar to do it is placed so low. It is a lesson that the open-source community and especially the Linux distribution providers should heed.


Latest news

bottom of page