A Wake-Up Call: Navigating the Risks of Open-Source Software in the Automotive Industry

The past few days, companies have been reeling from news of a new urgent security warning, this one stumbled upon through a string of coincidences, solid due diligence, and attention to detail by Andres Freund, a Microsoft engineer.

A widely used data compression utility for Linux systems, integral to major Linux distributions, was compromised by inserting malicious code. This breach enabled remote code execution, exposing affected systems to complete access by remote attackers.

CVE-2024-3094 has a whopping CVSS score of 10.0, reflecting maximum severity, but companies can seek solace in the likelihood of impact being low. Those using XZ Utils (a library of data compression tools, software utilized in nearly all Linux distributions) versions 5.6.0 and 5.6.1 have been found to be at risk, as only the relatively newer versions were impacted. 

This vulnerability was introduced into an open-source library as malicious code by a contributor and offered a secret backdoor. This backdoor enables unauthorized access and potential control of the entire machine. 

Malicious actors can break SSHD authentication, inject code, send arbitrary payloads, and thus effectively hijack control of each victim machine in its entirety. This savvy backdoor would allow malicious actors with the private key to obtain access, connecting, and running commands as an administrator.

Who is Jia Tan?

One of the more impressive components of note in this attack was indeed the patience and dedication by the particular threat actor in addition to the sophistication of the obfuscation of the backdoor. This big picture, long-term goal mindset is supported by experts such as Costin Raiu.

Further digging into this contributor – listed as Jia Tan – has made it obvious that this is likely a persona created specifically for this purpose, built slowly and with finesse over two years of contributing, gaining trust, permissions, and privilege. “Tan” has no other online presence beyond their contributions to the open source development community, and based on their behavior, is likely a front operated by a group of associated actors.  

What Next?

The recommendation is for those potentially impacted to contact the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and downgrade to an uncompromised version of XZ Utils. 

Knowing that the attack could have wreaked havoc if not discovered raises issues already keeping up those in Security positions and DevSecOps across all industries. Maintaining an understanding, awareness, and control over your security network is an ever-growing challenge, and the capability to develop and launch agilely without compromising on security often means what feels like an endless search for the right solutions.

With more sophisticated attackers, cybersecurity continues to be top of mind. In the automotive industry, we are well aware of the potential complications and repercussions of security vulnerabilities and the impact on passengers’ safety and privacy. 

The vast amount of personal data including payment information, location history, sensor data, and more that could be obtained in and of itself from each vehicle is astounding in a world where data has long been the new oil. Linux OS is heavily used by manufacturers, including widespread reliance on in-vehicle infotainment systems, opening up new attack vectors that malicious actors can exploit. Some car makers rely on Automotive Grade Linux (AGL), a collaborative cross-industry effort developing an open platform for connected cars.

Mitigating Cyber Risks in Automotive: A Proactive Approach

The accidental discovery of this breach averted what could have been a severe security disaster, had the compromised package been integrated into stable releases of Linux distributions.

For the automotive industry, this breach serves as a crucial reminder of the need to adopt a comprehensive risk management mindset. Implementing a proven tool for SBOM (Software Bill of Materials) management, coupled with a robust vulnerability management system, enables the early identification and mitigation of risks throughout the product lifecycle.

By leveraging our award-winning Threat Analysis and Risk Assessment (TARA) product, car makers and Tier 1 suppliers can understand the context of a vulnerability, allowing for efficient prioritization and targeted mitigation efforts. EVSec ensures that resources are allocated effectively and that the most critical vulnerabilities are addressed promptly.

EVSec Vulnerability & BOM Management

The recent breach is a call to action for all stakeholders in the automotive domain to embrace a risk-driven cybersecurity approach. With the EVSec platform, companies can transcend traditional security measures, placing them in a vantage position to anticipate, understand, and neutralize threats with precision and agility, fortifying their cyber defenses against the ever-evolving landscape of risks.

EVSec Vulnerability & BOM Management, which not only automates the link between the SBOM and threat analysis but also delivers precise risk-based prioritization. This targeted approach ensures that new vulnerabilities are not just identified but also systematically mitigated. Moreover, EVSec’s advanced analysis technology significantly reduces the effort and cost of determining a vulnerability’s impact. It streamlines the entire process of identification, prioritization, and mitigation, offering an unparalleled layer of defense that is both intelligent and cost-effective.