The Cybersecurity and Infrastructure Security Agency on Friday warned that a widely used Linux tool that compresses and encrypts files shared between parties contains a previously undetected backdoor.
If backdoors were allowed to spread, they could have left the open source Linux ecosystem ripe for hacker exploitation. The targeted mechanism is a Secure Shell (or SSH) tool that compresses and scrambles data sent over the connection. This vulnerability could allow a hacker to bypass the authentication mechanism used in his SSH encryption process, potentially gaining access to the entire system.
A malicious attacker has embedded a vulnerability in XZ Utils, a Linux file compression and transfer feature. According to his March 30 analysis of Red Hat, a cybersecurity company that provides commercial Linux distributions, this sinister code was built into two recently released versions of the tool, but it is not publicly available. was only for certain beta versions of Linux products.
The malicious code is part of a February 23 update that contains a self-installing script that embeds a vulnerability in production versions of Ubuntu, the Linux distribution used in the IT stacks of major companies such as Instacart, Slack, and Robinhood. It was introduced in .
“CISA urges developers and users to downgrade XZ Utils to a non-compromised version (such as XZ Utils 5.4.6 Stable), to look for malicious activity, and to notify CISA of any positive findings We encourage you to report it,” the agency said in its warning.
The flaw was discovered by Microsoft engineer Andres Freund, who documented his technical findings on Friday.Other Linux distribution communities will soon warn user It helps resolve vulnerabilities and avoid potentially more widespread problems.
Notably, this malicious code was introduced by a long-time contributor to XZ builds. Since this tool is open source, this feature relies on contributions from members of the community who keep the tool up to date through patches and regular updates.
A user known as “Jia Tan” reported the bug on March 28, demanding that the version of the software be updated with the malicious code, another that the community touts as completely free to use. He claimed to justify fixing problems in Debian, a Linux distribution. operating system.
The repository storing this exploit has since been closed as GitHub works to assess the potential impact of how and where malicious builds may have been inadvertently incorporated into Linux products. it was done.
One Ubuntu maintainer said that this user has been “participating in the xz project for two years, adding all kinds of binary test files, but given this level of sophistication, I don't think xz will ever work until proven otherwise.” Even older versions would be suspicious,'' (Ars Technica) reported on Friday.
“Given the weeks of activity, either the committer was directly involved or there was a fairly serious compromise of the system,” Freund said in his analysis. “Unfortunately, the latter explanation seems less likely, given that they were communicating a variety of lists about the 'fixes' mentioned above.”
The event could reinvigorate the debate in Washington over the safety and security of open source tools. The debate has already become a flashpoint in AI policy negotiations, as lawmakers and the tech industry battle over how to make AI systems more accessible to the general public.
Politico added on Monday that there are allegations that the individual may have been involved with a national cyber group, and that the FBI and NSA are likely to investigate the incident.
