On March 29, right before Easter weekend, we received notifications about something unusual happening with the open-source project XZ Utils, which provides lossless data compression on virtually all Unix-like operating systems, including Linux. The initial warning was sent to the Open Source Security mailing list sent by Andres Freund, who discovered that XZ Utils versions 5.6.0 and 5.6.1 are impacted by a backdoor. A few hours later, the US government’s CISA and OpenSSF warned about a critical problem: an installed XZ backdoored version could lead to unauthorized remote access.This came as quite a shock because it perfectly described a software supply chain doomsday scenario. XZ Utils has heavy repercussions on OpenSSH security, which creates more urgency in detecting and removing backdoor versions (CWE-506: Embedded Malicious Code).XZ Utils is heavily used in embedded systems and firmware development across many different ecosystems. Luckily, in this particular case, the slow deplo…
Related Topics: