Security News > 2024 > April > xz Utils Backdoor

xz Utils Backdoor
2024-04-02 18:50

Malicious code added to xz Utils versions 5.6.0 and 5.6.1 modified the way the software functions.

Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device.

No one has actually seen code uploaded, so it's not known what code the attacker planned to run.

In theory, the code could allow for just about anything, including stealing encryption keys or installing malware.

The following year, JiaT75 submitted a patch over the xz Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of xz Utils, hadn't been updating the software often or fast enough.

We simply have to stop building our critical national infrastructure on top of random software libraries managed by lone unpaid distracted-or worse-individuals.


News URL

https://www.schneier.com/blog/archives/2024/04/xz-utils-backdoor.html