The XZ Backdoor: A Stealthy Threat to Open Source Software

A backdoor was recently discovered in XZ Utils, an open-source data compression utility that is nearly ubiquitous in Linux and other Unix-like operating systems. This backdoor was intentionally planted and was revealed by a Microsoft developer, who discovered it while troubleshooting performance problems on a Debian system.

XZ Utils provides critical functions for compressing and decompressing data during various operations. The malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the software’s functions when performing operations related to .lzma compression or decompression. When these functions involved SSH, they allowed for malicious code to be executed with root privileges. This code enabled someone with a predetermined encryption key to log in to the backdoored system over SSH, granting them the same level of control as any authorized administrator.

The backdoor was likely years in the making, with the person or people behind this project coming very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux. The backdoor was discovered just in time, preventing a potentially widespread compromise of systems running these distributions.

read more > www.wired.com

NIMBUS27