Malicious Backdoor Discovered in XZ Utils Compression Software Affecting Linux Systems
By
ctrlmeta
Master baker tier. Every paragraph earns its place on the tray.
Summary
The article details the discovery of a sophisticated backdoor in the XZ Utils compression software, a critical open-source component used in Linux distributions. The backdoor was introduced in versions 5.6.0 and 5.6.1 by an account named 'Jia Tan' and allowed attackers with a specific Ed448 private key to execute arbitrary code on affected systems. The vulnerability was discovered by Andres Freund in March 2024 and quickly patched, but it raised significant concerns about supply chain security in open-source software and the potential for state-sponsored attacks on critical infrastructure.
Key quotes
· 4 pulledIn February 2024, a malicious backdoor was introduced to the Linux build of the xz utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name 'Jia Tan'.
The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution capabilities on affected systems.
The vulnerability was discovered by Andres Freund in March 2024 and represents one of the most sophisticated supply chain attacks on open-source software.
This incident highlights critical vulnerabilities in the open-source software supply chain and the potential for state-sponsored attacks on critical infrastructure.
You might also wanna read
Critical 7-Zip vulnerability (CVE-8.8) enables code execution via crafted archive files; update to version 26.01 urged
A critical 8.8-rated CVE vulnerability has been discovered in the popular open-source archive utility 7-Zip. The flaw allows remote code exe
tomshardware.com·1d ago
AI-assisted vulnerability discovery raises concerns about Linux kernel security
This opinion article discusses a troubling trend in Linux security where AI-powered tools are being used to discover and exploit kernel vuln
theregister.com·1d ago