Why software integrity is our invisible shield against cyberattacks

How robust software development practices and effective IT security monitoring protect us from the well-hidden dangers of the cyber world.

Now that cyberattacks are becoming increasingly dangerous and regular and digital borders are becoming increasingly invisible, software integrity is taking on a whole new significance as a fundamental pillar of our cybersecurity.

This can never be shown more clearly than in the current xz backdoor incident. The invisible attackers not only expose the vulnerability of our digital infrastructures, but also bring an urgent question into focus:

“How can we effectively protect ourselves against the shadow work of cyber criminals?”

In this article, I shed light on the background to the latest cyberattack and the critical role of software integrity as our invisible protective shield.

In doing so, I will highlight constructive IT security measures that each of us can take to strengthen the digital fortresses that protect our data, our privacy and our security.

Join me on a journey through the complex waters of IT security, which is more than just a battle against code – it’s a constant struggle for trust in an increasingly connected world.

The backdoor hidden in Linux distributions – What happened?

On March 29, 2024, the open source provider Red Hat reveals a disturbing discovery: Malicious code has been identifiedin versions 5.6.0 and 5.6.1 of the widely used ‘xz’ tools and software libraries!

This malicious code enables attackers to bypass the authentication systems via systemd and gain unauthorized access. Fedora versions 41 and Fedora Rawhide were specifically affected, although the potential threat goes far beyond these software releases.

The vulnerability, published under the designation
CVE-2024-3094
received the highest possible CVSS score of 10/10 and was therefore classified as critical . Their discovery highlights the latent risks in the software supply chain and the need to recognize software integrity as a central element of cybersecurity strategy.

Despite specifically affecting Fedora 41 and Fedora Rawhide at Red Hat, the incident signaled a wide-ranging risk, as ‘xz’ tools are used in numerous Linux distributions due to their efficiency and compatibility. The attack highlighted not only the sophistication of modern cyber threats, but also the critical importance of vigilance and ongoing testing of software products, even if they come from trusted sources.

In response to the discovery, immediate action was taken to address the vulnerability and update the affected software. At the same time, the community and security experts initiated a broad-based investigation to understand the extent of the compromise and develop future prevention strategies. This incident serves as a stern reminder of the constant threat of cybercrime and the vital role that software integrity plays in the fight against unseen attackers.

What is it about in detail? All the facts at a glance!

Here you can find all the facts at a glance:

Facts of the case

  • Date of the announcement: 29.03.2024
  • Affected software: “xz” tools and libraries
  • Versions: 5.6.0 and 5.6.1
  • Schwachstellen-ID: CVE-2024-3094
  • Affected distributions: Specifically Fedora 41 and Fedora Rawhide; other distributions may also be affected.
  • Distributions not affected: Amazon Linux, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server, SUSE Linux Enterprise Server Micro, Ubuntu
  • Vulnerability assessment: Critical (CVSS score 10/10)

Evaluation

  • Description: Malicious code within the affected “xz” versions allows to bypass authentication via systemd in sshd.
  • Distribution and use: “xz” is used in almost every Linux distribution, both in community projects and in commercial products, which implies a widespread impact of the vulnerability.
  • Exploitation risk: Details on exploitation and proof-of-concepts were not known at the time of publication. Utilization is subject to certain conditions that have not yet been fully disclosed.

Measures

  • Recommended steps: Check and adapt according to the recommendations of the manufacturers of the respective Linux distributions. This can include downgrading to secure “xz” versions or shutting down affected systems.
  • Specific instructions for distributions: Includes downgrade instructions for openSUSE and instructions for users of distributions such as Alpine, Arch, Debian, Fedora, Gentoo, Kali, and openSUSE, among others.
  • Tools for checking: Publication of tools and instructions for checking your own IT systems for the vulnerability.

Additional information

  • Traffic Light Protocol (TLP): TLP:CLEAR, which allows unlimited forwarding of information.
  • Important links: Links to security warnings, vulnerability assessment tools and discussions on the backdoor issue.

Why is the focus here on the integrity of software?

When dealing with the critical backdoor in the “xz” tools and software libraries, both cryptoagility and software integrity are at the center of our interest if we are serious about robust software and effective IT security.

Each of these two aspects plays an important role in the context of cybersecurity, especially in responding to security incidents such as this one.

What is software integrity?

The integrity of software refers to ensuring that software is free from unauthorized modifications, whether through malicious interference or unintentional changes.

In the context of this incident, where a backdoor was found in widely used software, the integrity of software is of utmost importance. The malicious code allowed attackers to bypass authentication via systemd in sshd, which has a direct impact on the trustworthiness and security of the affected systems.

The prevention of such incidents and the ability to mitigate their impact are heavily dependent on robust mechanisms to ensure software integrity, including secure software development lifecycles, regular security audits and the use of digital signatures to verify the authenticity of software packages.

Cryptoagility

Cryptoagility refers to the ability of a system to switch quickly and efficiently from one cryptographic method or algorithm to another without compromising system functionality.

This capability becomes particularly important when cryptographic algorithms are compromised or deemed insecure.

Although cryptoagility in this specific case of CVE-2024-3094 is not directly related to the nature of the vulnerability, as the incident primarily affects the integrity and not the cryptography of the software, this security incident stillhighlights the overarching importance of cryptoagility for cybersecurity.

Only if we are able to switch software and hardware systems quickly and securely from one cryptographic method or algorithm to another can we use effective protection mechanisms.

In a constantly changing threat landscape, this is of crucial importance! Incidents like these – which in this form still lie undetected in some other software in a far higher number of unreported cases as malicious code – make it clear how essential flexible and robust IT security systems are for us to be able to react appropriately to unexpected security challenges.

“If an encryption mechanism or software is insecure, the clear motto is: deactivate and replace immediately!” – Sascha Block – IT Architect

With attackers constantly developing new methods to circumvent security measures, cryptoagility is an effective protection mechanism that helps to increase resilience to such attacks. It enables organizations to implement adaptive security protocols that are prepared not only for current threats, but also for future threats. The events surrounding CVE-2024-3094 show that even supposedly secure components can be compromised, underlining the need to make the entire security infrastructure agile and adaptable.

To put it very clearly and unambiguously:

“You wouldn’t get on a plane if it was proven that one of the engines was badly damaged, would you?

Neither should we rely on encryption mechanisms or software that have been identified as insecure.

Ensuring the security and integrity of our data means acting proactively and immediately decommissioning vulnerable systems and replacing them with secure alternatives.

Agile security strategies instead of static security models

Furthermore, the incident emphasizes the importance of a comprehensive approach to security, which includes both the integrity of software and the robustness of cryptographic measures. As organizations move away from traditional, static security models to more dynamic, adaptive systems, cryptoagility will become a critical factor in maintaining data security and user trust.

Ultimately, the CVE-2024-3094 case serves as a reminder that information technology security requires an ongoing effort that includes both preventative and reactive strategies. Cryptoagility plays a central role here, as it enables security systems to be quickly adapted and strengthened in order to be prepared for newly discovered threats and vulnerabilities. In this sense, the promotion of cryptoagility is not only a technical necessity, but also a strategic imperative for all those who want to ensure security in the digital world.

Valuable insights that we can take away with us and implement directly:

From the incident with the critical backdoor vulnerability in the “xz” tools and libraries for Linux, we can gain several very valuable insights. These insights are not only relevant for IT security experts, but also for software developers, system administrators and IT management in order to minimize future security risks:

  1. Importance of software integrity checks: The fact that the malicious code was found in official packages underscores the need for rigorous integrity checks and verification processes in software development and distribution.
  2. Importance of open source security: As “xz” is a widely used open source tool, the incident shows the importance of security in open source projects. It emphasizes the need for contributions to be carefully examined, especially in projects that are used in critical infrastructures.
  3. Rapid response to security incidents: The rapid identification and classification of the vulnerability as critical and the publication of updates and measures show how important a rapid response to security incidents is.
  4. CVSS score as a useful assessment tool: The maximum CVSS score of 10/10 indicates the critical nature of the vulnerability and serves as a guide for organizations to prioritize their response planning.
  5. The role of the community and research: The discovery by Andre Freund and the subsequent communication with the relevant bodies and stakeholders around IT security emphasize the role of the security community and independent researchers in identifying and reporting vulnerabilities.
  6. Awareness of supply chain attacks: The incident highlights the ongoing risk of supply chain attacks, where attackers compromise the supply chain of software and updates to spread malware.
  7. The need for contingency plans and security checks: The recommendation to shut down or reset affected systems to secure versions demonstrates the importance of contingency plans and the ability to respond quickly and effectively to security threats.
  8. Communication and transparency in the event of security incidents: Open communication about the vulnerability, affected versions and remediation measures is crucial for user trust and security.
  9. Diversification and redundancy in software dependencies: The impact of specific distributions underscores the need to diversify dependencies and create redundancies to minimize downtime risks.
  10. Importance of continuous monitoring and updates: The incident illustrates how important it is to continuously monitor systems and carry out regular updates in order to be prepared for newly discovered security vulnerabilities.

Open source myth debunked: Why transparency in the software world automatically means security

The conclusion that open source software (OSS) is fundamentally insecure is based on a widespread misunderstanding of the nature and security dynamics of open source projects.

My key arguments illustrate why this conclusion is wrong:

Transparency promotes security

Open source software is characterized by its transparency. The source code can be viewed by everyone, which enables a broad review by the community. Vulnerabilities can be discovered and reported by anyone, resulting in faster identification and resolution of vulnerabilities than in many closed-source environments where the code is only accessible to a limited group of developers.

Joint effort

The security of OSS is often supported by an active and engaged community that regularly contributes in the form of patches, security updates and improvements. This collective effort leads to a continuous improvement in software quality and security.

Safety audits and reviews

Many open source projects undergo regular security audits and reviews by experts. Large, widely used open source projects often receive additional security resources from companies that depend on the software, leading to even higher security scrutiny.

False equation of availability and vulnerability

The misconception that the availability of source code automatically leads to greater vulnerability ignores the fact that security is not achieved through obscurity, but through robust design and development practices. History has shown that many closed-source systems can also have serious security vulnerabilities, but the lack of transparency slows down their discovery and elimination.

Use in safety-critical systems

Open source software is used in a wide range of security-critical applications, from operating systems and network infrastructures to cryptographic libraries. The broad acceptance and use in these areas underlines the confidence in the security of open source software.

Example of successful OSS security models

Examples such as the Linux operating system, the OpenSSL encryption library or the Apache web server software project show that open source software can not only be secure, but is often a leader in the implementation of security standards and practices.

Your click, our common path: How your support shapes our digital future

Stay tuned, my Rock the Prototype format provides you with free valuable knowledge on crucial tech topics in software development andtheir social impact.

Please support me with your subscription to my
Linkedin Newsletter
podcast & YouTube channel. Of course I am also looking forward to your feedback, comments and likes!

My
Linkedin Newsletter
 provides you, as always, with relevant knowledge and offers a compact overview.

Compact information – easy to understand!

Until then, stay safe, creative and above all curious!

Your Sascha Block

Über den Autor:

Sascha Block

Ich bin Sascha Block – IT-Architekt in Hamburg und der Initiator von Rock the Prototype. Ich möchte Prototyping erlernbar und erfahrbar machen. Mit der Motivation Ideen prototypisch zu verwirklichen und Wissen rund um Software-Prototyping, Softwarearchitektur und Programmierung zu teilen, habe ich das Format und die Open-Source Initiative Rock the Prototype geschaffen.