Recently a sophisticated backdoor was discovered in open source project XZ Utils (CVE-2024-3094). With this backdoor, malicious actors could potentially have received unauthorized remote access to millions of Linux machines worldwide. Although major impact seems to be prevented, this incident sheds a new light on the trustworthiness of open source.
In security terms, open source code had developed a good reputation. The transparency of development allows for a high level of scrutiny. While proprietary (closed source) software typically gets reviewed only at first issuance, this may be a more continuous process for open source. It is known that the number of software vulnerabilities in mature open source code is relatively low.
The XZ backdoor had been planted in some preview releases of Linux distributions after a multi-year effort. A malicious developer had contributed to the XZ project for a longer time to gain trust of the development group, and ultimately obtained privileges to upload his infected code. As the code started spreading, an attentive Microsoft employee noticed a performance degradation in remote management that ultimately led to the discovery of the backdoor. With this fortunate discovery, a large-scale exploitation was prevented. It is expected that the malicious developer participates in a so-called nation-state attack, where large resources are used to achieve strategic geopolitical gain.
With the decreasing cost of memory, and increasing software size, the amount of software that is available has surpassed the level where a manual review can still be expected. A lot of software may be scanned automatically but is never scrutinized by a human (let alone by a security expert). It is fair to state that this is a problem for all software, open or closed source.
That said, we should accept that any product can suffer from supply-chain intrusion: somewhere in the process of making a product, there is a possibility that malicious functionality got introduced. While we would typically expect this in software, this may even happen in hardware. An average product consists of more than 50% of open source software, but also chip designers like to incorporate open source IP blocks to handle common tasks (communication, encryption, etc.)
Knowing that vulnerabilities and backdoors may be resulting from supply-chain issues, it is not enough to do design analysis/reviews on proprietary application code. Regardless of the open or closed origin of functionality, we should make sure that complete products are always tested for security, with a strong focus on unexpected and potentially malicious behavior.