LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

The Mother of All Supply Chain Attacks! Is 1Password Safe?!? (UPDATED)

A Malevolent Back DoorNews broke Friday that a backdoor had been slipped into xz, a widely-used compression library.

The good news is that your Linux distro is probably safe, unless you’re running bleeding edge.  If you’re running, for example, RedHat Fedora 41 or Fedora Rawhide, you are vulnerable and should take action immediately.  Also if you’re using Debian Unstable.

But for typical users – Debian stable versions including 12, RHEL, Ubuntu, etc. – you are safe.

Still, it highlights the growing risk of supply chain attacks, where slipping something into a widely-used upstream (GitHub repo, npm package, etc.) causes widespread downstream vulnerabilities.

There’s a very detailed writeup on Openwall.

After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian’s package, but it turns out to be upstream.

The backdoor author placed code in a test case, which is then executed during built, resulting in the malware being injected.

Now here’s a less widely-reported angle.  There is a long thread on ycombinator discussing this.  One user commented:

As you may have read, xz, a widely-used compression library, was found to have a backdoor introduced in version 5.6.

There is a comment in a Ycombinator thread that states:

A couple of years ago I wrote a Go library that wraps the xz C code and allows you to do xz compression in Go: https://github.com/jamespfennell/xz  About a week ago I received the first PR on that repo, to upgrade to 5.6.1. I thought it was odd to get such a random PR…it’s not the same GitHub account as upstream though.

5.6.1 is a vulnerable version of xz.

This was followed by a comment from a different ycombinator poster:

I don’t want to read too much into it, but the person (supposedly) submitting the PR seems to work at 1Password since December last year, as per his Linkedin. (And his Linkedin page has a link to the Github profile that made the PR).

Youch!  1Password is highly desirable target for malware, for obvious reasons.  I submitted a ticket to 1Password informing them and urging them to investigate.

As I said, seems like the larger Linux community has been spared the worst of this, but these kinds of attacks are very worrisome.  The sharing nature of open source software makes it all too easy for an attacker to slip something nasty into our digital drinks.

UPDATE: 1Password has apparently reached out to the author of this summary of the xz situation:

pull request to a go library by a 1password employee is opened asking to upgrade the library to the vulnerable version, however, it was all unfortunate timing. 1Password reached out by email referring me to this comment, and everything seems to check out.

UPDATE #2: 1Password replied to my ticket:

Thanks for reaching out to us here at 1Password!

To help provide some more context, an employee of ours has a personal GitHub account which contains a personal project unrelated to 1Password.

As part of development of this personal project, a pull request was made in the xz project impacted by CVE-2024-3094. This activity was coincidental and is not associated with CVE-2024-3094.

Our employee has posted to Github to provide a more in-depth explanation on this.

We hope this helps clarify things a bit further, but please let us know if you have any additional questions for us.


No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *