A close call for the Linux community as major vulnerability detected

Open source software is the lifeblood of the tech world, spurring innovation and allowing projects to scale faster and more cost-effectively than relying solely on licensed software.

Millions of people around the world contribute their time and expertise to open source software projects. One side effect of that is the potential for rogue actors to join open source efforts with less than virtuous intentions - and to build security vulnerabilities into software products.

That’s what appears to have happened in the Linux community, where a sophisticated backdoor was built into the compression library of XZ Utils, a set of free software command-line lossless data compressors, widely used by open source developers.

The exploit had the potential to compromise SSH authentication, a key-based authentication system used all over the world to offer secure access to remote systems. The backdoor in versions 5.6.0 and 5.6.1 was found by software engineer Andres Freund in beta versions of Fedora Rawhide and Debian Linux-based operating systems.

The malware created by a XZ Utils developer who had been an active participant in the Linux open source effort for at least two years, was designed to intercept critical code, allowing hackers to bypass authentication to gain unauthorised root access to a targeted system. The backdoor works by injecting code during a key phase of the login process,” Ars Technica reported.

The big question now is who created the malware and what was their motivation for creating a security backdoor that could have compromised computer systems all over the world if it had been introduced into operating environments.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund wrote in a post outlining how he discovered the exploit. 

“Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’”, he added.

Thanks to Freund and others in the opensource community who investigated the issue, disaster was averted. But it raises the question about whether opensource software is inherently less secure due to the anonymous nature of many who work on it.

Open source still more secure

“Open source has proven that there is a positive effect when you have source code transparency,” InfoWorld’s Dan Lorenc wrote last month before the XZ Utils exploit came to light.

The network effect of many eyes on source code reveals vulnerabilities faster and creates much faster cycles of remediation. The results speak for themselves: 90% of the known exploited vulnerabilities (in the CVE list maintained by CISA) are proprietary software, despite the fact that around 97% of all software is open source.

That being said, Lorenc acknowledged that open source efforts are build on trust, established over decades of successful development in the case of Linux.

“When you use binaries from a Linux distribution, you’re trusting upstream maintainers who write the source code and the distribution. That’s two different sets of people,” he writes. 

“The Linux distros understood this and really advanced the state of the art in software security over the last few decades, by pioneering approaches to software supply chains, and by establishing strict methods for vetting package maintainers.”

While open source software will continue to prove to be more secure than proprietary software, changes in how software is developed, distributed and used, requires a rethink in the open source world.

“We need more uniform ways to build, package, sign, and verify all of the source code that goes into packages in containers, and the distribution of these cloud-native components, while keeping them minimal and secure by default,” Lorenc explains.

“They’re all sitting at the top of the stack, which is the perfect place to refactor roots of trust that are going to support the next decades of open source innovation in the cloud-native world. It’s time for a de facto standard safe source for open source software.”