Image: — © AFP
After a Microsoft software engineer noticed a backdoor in XZ Utils, an open-source set of data-compression tools widely used across Linux, the world was only a couple of weeks away from a major supply chain attack.
XZ Utils is a set of free software command-line lossless data compressors, including the programs lzma and xz. It is available on almost all installations of Linux and other Unix-like operating systems.
In response, Linux OS providers Red Hat and Debian have issued security advisories warning users about the threat.
Scott Caveza, Staff Research Engineer at NASDAQ-listed Tenable has reflected on the incident.
Digital Journal: What is XZ Utils and what is the library used for?
Scott Caveza: XZ is a type of lossless data compression on Unix-like operating systems, which is often compared to other common data compression formats such as gzip and bzip2. XZ Utils is a command line tool that contains functionality for both compression and decompression of XZ files and liblzma, a zlib-like API used for data compression and also supports the legacy .lzma format.
DJ: What is the broad takeaway from the incident for enterprise organizations?
Caveza: Building and maintaining a software and hardware inventory, as well as SBOM, and understanding the dependencies of your applications, including open-source software, will continue to be imperative to understanding your business risk. Supply chain attacks are likely to continue as attackers look for new and innovative ways to breach organizations.
DJ: Hypothetically, what would have happened if the backdoor had remained undetected for longer?
Caveza: Had this gone undetected for an extended period of time, the impact could have been much greater with a large swath of machines potentially impacted. It was fortunate that the malicious code was limited to unstable or beta releases in most cases. Had this malicious code been introduced to stable OS releases in multiple Linux distributions, we could have seen in-the-wild exploitation en-masse. The longer this went unnoticed, the greater the potential for more malicious code from whomever this malicious actor might be.
This incident highlights an interesting where building from source would have saved an organization from being vulnerable to the backdoor.