What the XZ Backdoor Tells Us

On Friday Red Hat issued an immediate security advisory (opens a new window) around the popular compression library XZ[1]. A backdoor somehow found its way into the trusted build process of this popular library. Whilst the XZ Backdoor (CVE-2024-3094) hasn’t affected any production systems. It does provide some lessons that can be learnt moving forwards regards software-based security gateways. 

The XZ Library & the Backdoor Itself

The XZ utils are a collection of libraries that are shipped with many different versions of Linux, including Fedora, Ubuntu and Debian. All of these operating systems use xz to compress software packages. 

Luckily it was discovered, before being shipped with any major releases by security researcher, Andres Freund. He noticed high CPU usage when using an SSH connection to login to a remote box whilst using a beta version of Debian [2] and decided to investigate it.

The XZ backdoor itself is designed to be “low and slow” - a theme consistent with many APT (advanced persistent threat) actors. It won’t always open the backdoor, but under the right conditions, the code allows for remote backdoor access via OpenSSH and SystemD. Given the widespread adoption of Debian, Fedora, Red Hat and other similar operating systems, the potential effects could have been catastrophic across the board. A backdoor into Linux allows for widespread espionage to take place, given Linux is common in server code around the world.

What does this tell us about the state of software-based security?

Software Security

Software security solutions are almost always built on a typical operating system stack, with some form of Linux “under the hood”. That is, if you strip back the security appliance and look how it’s built, you’ll probably find the underlying operating system is a well-known build. Perhaps Debian, RHEL or Fedora, with each vendors security code running on top. The vendor might say their security appliance is more secure because it has a custom microkernel, but either way the security critical code is going to be large, complex, and reliant on packages like XZ.

These approaches mean you must trust millions of lines of opens source code and thousands of lines of home-baked code. If there’s a flaw somewhere in the software, then the attacker will likely get free rein over the network it is supposed to protect.

"Whilst the XZ backdoor attack will grab the headlines over the next few weeks, there will be countless more advanced threats affecting our open source supply chain for months and years to come, without a researcher astonishingly spotting it before any production system were affected." - Aaron Mulgrew

Security appliances protecting secure networks within government and critical infrastructure simply cannot afford to take this amount of risk.

Enter Hardsec

Hardsec [3] is a different form of security technology that does not rely upon operating systems and their associated vulnerabilities to function. They use hardware logic to enforce the critical security functions. Typically implemented using FPGAs (Field Programmable Gate Array), they can either support one way data flows, like a data diode, or operate in a two-way mode, meaning capabilities such as REST APIs which require native two way communication can take place. Attacks that target the operating system, such as the XZ backdoor, simply are not applicable as there is no operating system to attack within a programmed FPGA. 

Hardsec protection has already arrived in the government arena, with both the US National Cross Domain Strategy & Management Office (NCDSMO) mandating Hardsec to include Protocol Filtering Devices (PFD) [4] within Raise the Bar (RtB) implementation requirements and the UK’s NCSC recommending the use of Transformation and Verification technologies [5]. Everfox has Hardsec solutions which meet both of these criteria [6]. Hardsec is a key component that is used to protect our classified networks from high threat networks such as the internet.  It is also used as the first line of defense to software based Cross Domain Solutions, to include Everfox’s Cross Domain Product line when connecting to high threat networks [7].

As advanced attacks are becoming ever more frequent, and the reliance on software based security is only ever increasing. I’d like to leave you with a couple of questions to ask your current gateway security vendor today:

Q: How does your software-based approach address the increasing complexity of advanced cyber threats targeting the operating system, especially in scenarios where software defenses may be bypassed or subverted?
Q: How do you know your appliance’s firmware, such as in the network adapters, isn’t shipping with a backdoor that can control or bypass your security mechanisms?

Contact Everfox today for more information on our US NCDSMO, UK NCSC and NATO compliant Hardsec and software based Cross Domain Solutions.

Sources

[ (opens a new window)1] Urgent security alert for Fedora 41 and Fedora Rawhide users (opens a new window)

[ (opens a new window)2] AndresFreundTec: "I accidentally found a securit…" - Mastodon (opens a new window)

[3] What is Hardsec? (opens a new window)

[4] National Security Agency/Central Security Service > Cybersecurity > Partnership > National Cross Domain Strategy & Management Office (opens a new window)

[5] Pattern: Safely Importing Data - NCSC.GOV.UK (opens a new window)

[6] Everfox Data Diode

[7] Everfox Software based Cross Domain Solutions