A backdoor in the open-source project XZ Utils (CVE-2024-3094) has raised serious concerns about the security of open-source software. This backdoor could have given malicious actors unauthorized access to millions of Linux machines. While the threat was prevented, this incident shed new light on the trustworthiness of open source.
Open source previously had a good security reputation. The transparency of development allows for a high level of scrutiny,while proprietary (closed source) software typically gets reviewed only at first issuance. Overall, the number of software vulnerabilities in mature open-source code is relatively low.
After a multi-year effort, the XZ backdoor was planted in some preview releases of Linux distributions. A malicious developer contributed to the XZ project to gain the trust of the development group and obtain privileges to upload his infected code. As the code started spreading, a Microsoft employee noticed a performance degradation in remote management that ultimately led to the discovery of the backdoor. With this discovery, large-scale exploitation was prevented. It is now expected that the malicious developer was part of a so-called nation-state attack, where large resources are used to achieve strategic geopolitical gain.
With the decreasing cost of memory and increasing software size, the amount of software that is available has surpassed manual review. Software may be scanned automatically and is rarely scrutinized by a human (let alone by a security expert). This is a problem for all software, open or closed source.
Any product can suffer from supply-chain intrusion: somewhere in the process of making a product, there is a possibility that malicious functionality could be introduced. While we would typically expect this in software, it is also possible in hardware. An average product consists of more than 50% of open-source software, as well as open-source IP blocks to handle common tasks like communication and encryption.
Knowing that vulnerabilities and backdoors may result from supply-chain issues, it is not enough to do design analysis and reviews on proprietary application code. Regardless of the open or closed origin of functionality, complete products should always be tested for security, with a strong focus on unexpected and potentially malicious behavior.