Security News > 2024 > April > xz Utils Backdoor
Malicious code added to xz Utils versions 5.6.0 and 5.6.1 modified the way the software functions.
Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device.
No one has actually seen code uploaded, so it's not known what code the attacker planned to run.
In theory, the code could allow for just about anything, including stealing encryption keys or installing malware.
The following year, JiaT75 submitted a patch over the xz Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of xz Utils, hadn't been updating the software often or fast enough.
We simply have to stop building our critical national infrastructure on top of random software libraries managed by lone unpaid distracted-or worse-individuals.
News URL
https://www.schneier.com/blog/archives/2024/04/xz-utils-backdoor.html
Related news
- Red Hat warns of backdoor in XZ tools used by most Linux distros (source)
- Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094) (source)
- Malicious SSH backdoor sneaks into xz, Linux world's data compression library (source)
- Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros (source)
- Week in review: Backdoor found in XZ utilities, weaponized iMessages, Exchange servers at risk (source)
- XZ Utils backdoor update: Which Linux distros are affected and what can you do? (source)
- Malicious xz backdoor reveals fragility of open source (source)
- New XZ backdoor scanner detects implant in any Linux binary (source)
- What can be done to protect open source devs from next xz backdoor drama? (source)
- XZ Utils backdoor: Detection tools, scripts, rules (source)