An early warning of the XZ Compromise?

Theo de Raadt, founder and main developer of OpenBSD, a UNIX like operating system with a strong focus on security, gave a talk in Quebec City in 2015 during the Hackfest conference on “pledge() a new mitigation technique”.

The presentation covers the security benefits of the newly introduced system call: pledge. In short, “pledging” a new program promises which system calls it will make thus making the program crash if attempts to call any other undeclared system calls. This basically reduces the attack surface on programms and provides mitigation to exploits attempts.

Theo explains how he is developing & integrating pledge calls in OpenBSD and makes a strong case in explaining that those features need to be accessible, usable and mandatory.

What particularly caught my attention is this comment¹ on XZ and other compressors:

In our Ports system where there are upstreams, we currenly have an handfull of pledge calls. We are primarely using them for the compressors. We are terrified of those compressors. Especially with compressors like XZ, which had 2 memory system vulnerabilities in the last year. we will have to see how far we can push it in this ecosystem.

XZ is a lossless data compressor used in a large number of use cases in Unix like operating systems. It can compress files as well as data streams. When declaring this software “terryfying”, we can deduce about XZ poor security and code quality. By the comment, Theo is very aware of XZ popularity in Unix systems and sees the usage as a direct threat hence adding pledge() protection early on XZ running on OpenBSD.

Earlier in 2024, there was a targeted social engineering attack against XZ’s main developer that ended up in compromising the software. the compromised XZ version 5.6.1 was about to be widely distributed to Debian and Red Hat Linux distributions when a Microsoft engineer found that it contained a malicious sshd backdoor. As the main linux distributions were in the process of including the compromised XZ library in stable (widely distributed) branches, the timely discovery prevented what could possibly have been one of the largest compromises in history.²

So what’s the link between XZ and sshd? This Ars Technica article explains it:

Any library can tamper with the inner workings of any executable it is linked against. Often, the developer of the executable will establish a link to a library that’s needed for it to work properly. OpenSSH, the most popular sshd implementation, doesn’t link the liblzma library, but Debian and many other Linux distributions add a patch to link sshd to systemd, a program that loads a variety of services during the system bootup. Systemd, in turn, links to liblzma, and this allows xz Utils to exert control over sshd.

While the XZ compromise didn’t attempt to exploit OpenBSD³, it is important to note that the OpenBSD developers (including Theo de Raadt) are developing OpenSSH. The OpenSSH portable version is widely used in basically every Linux system. While the OpenSSH portable version doesn’t use XZ⁴, as the Ars Technica article explains, Linux distributions do link to it.

As Theo has communicated multiple times over the years that the OpenBSD team is fully dedicated to continuously improving the OS’s security to the point of even distrusting its own ‘core’ code, I can’t help but wonder if enough thought was given when he provided this warning about those compressors. He knew XZ was loaded with the portable version of OpenSSH on Linux. As the XZ compromise attacked Linux distributions with a huge user base, this was a very close call. While he surely wasn’t predicting future nation-state attacks on XZ (running on linux) , he was telling us this heavily used software had critical security issues and couldn’t be trusted at all especially while being linked by critical software such as sshd.⁵ So what else is lurking underneath that could be the next supply chain attack?

The pledge talk video was watched on YouTube less than 200 times as of this publication.

Hackfest 2024 edition is sceduled October 7 to 12 2024.