The Threat from Open-Source Software

Background

On March 29, 2024, a Microsoft developer noticed something wrong with his Debian system using XZ Utils.  XZ Utils is a compression algorithm that is used extensively on Linux systems, especially some of the most ubiquitous systems such as Debian and Red Hat.

According to reports, the user account for the backdoor was initially created in 2021 on GitHub and the user subsequently began to offer to help maintain and make changes to the XZ Utils.  The user’s efforts were then joined by a second user on GitHub who began posting messages to the maintainer of the package to create faster changes to the repositories.  The long-time maintainer of the project then began to be bombarded with messages by two new users to update the software faster.  The messages apparently were part of the effort to get the maintainer to allow the two users to become a bigger part of the project and have more access and responsibilities.

Eventually the maintainer allowed the two users to become a larger part of the process.  The users, however, did not intend to simply update or maintain the package, they had intended to hijack the package and interject code which would eventually open a backdoor on every affected Linux system.  The code was woven into the makefile that would use a series of complicated substitutions to create its own decryption key of sorts.  The developer who discovered the issue published a graphic explaining the process[1].

Legal Implications

The GitHub changes to the XZ Utils may be the most significant supply chain compromise since SolarWinds.  Without the Microsoft developer noticing the irregularity of the SSH processes on his system, the backdoor was months away from being incorporated into many Linux systems, and could have been widely distributed and perhaps even have a bigger impact than SolarWinds.  Many of the largest, most used Linux distros were affected including, Fedora, Debian, Kali, OpenSUSE Arch Linux, and Alpine.

The supply-chain compromise is yet another reminder of the threats and vulnerabilities organizations face when allowing or incorporating open-source software onto systems.  Hiring contractors or developers for custom applications increases the risk.  AI generated code may also increase the risk that an open-source software package is incorporated without a complete review of the code or a thorough understanding as to the implications of the code’s use.

When using open-source software either directly or through a third-party party solution:

1. Review all contracts or agreements in which a platform, software, or API may use or be dependent on open-source software. The requirements to manage and maintain the software, including software changes, updates, patches, commits, and alerts, should be clearly delineated, as should be the liability for the failure to do the same.
2. Platforms, software, and APIs should not be incorporated into a system without plenty of testing, time for questions, and a full understanding as to what the system will have access to in terms of confidential company data or personally identifiable data.
3. Risk assessments should identify open-source software and open-source dependencies in the production environment.

In an online economy where all parties rely on a series of interconnected devices, systems, networks, and platforms, supply chain compromise are much more likely.  This underscores that we are all responsible for monitoring and maintaining our cybersecurity profiles.