SSH library Hacked!

That was close….
Last week a crititcal security hole was detected and it reads almost like a thriller movie plot, when you dive into the details. Luckily almost unknown from the public, here’s what happened:

The setup:
– the SSH protocol (one of the most critical protocols on the internet) is used by administrators to access about 20 million servers in the world
– it relies on a software library called contained in the open source project XZ-tools
– XZ-tools is maintained by a single person on a voluntary basis (let’s call him Kevin)

The plot
– Kevin has a normal job and maintains the library in his free time
– For some reason, more and more requests are addressed to him so that his workload is no longer doable
– a new friend of Kevin offers to support (let’s call this friend Joe). After two years, Kevin grants Joe quite some privileges in the build process of this library
– Joe integrates a backdoor into the build process, which allows him to grab login data when the library is used in the SSH context
– Joe did it in a way that only allowed himself to use this backdoor. A NOBUS-backdoor (nobody but us)
– once this library is shipped to production and distributed, Joe would be able to access 20 million servers with admin privileges

The hero
– Andreas is software developer, who tested some software updates on is test system
– he discovered, that for unknown reasons his login-attempts took 500 milliseconds more after updating the XZ-tools
– and he did not ignore this. Instead, he investigated further, decompiled XZ-tools, and detected the backdoor
– Andreas immediately reported to authorities (ID CVE-2024-3094), forums, and vendors, the backdoor could be removed before the XZ-tools update got shipped

In the meantime, it seems clear, that both Joe (the hacker) and the unusual many requests for Kevin have been issued coordinated by a group of people, maybe even an intelligence service.

I’m thrilled to watch this plot in a movie – not in a fiction movie, but in a documentary. Really scary… thanks to Andreas, we have a happy ending!