- XZ-Nutils Backdoor was found over a year ago
- Despite warnings some Linux images still contain that
- Debian will not bend as the images are “historical artifacts”
At least 35 Linux images hosting the Docker Hub containing a dangerous back door malware that could put software developers and their products at risk of acquisition, data theft, ransomware and more.
At least, however, some of the images will remain on the spot and will not be removed as they are still outdated and should not be used.
In March 2024, the Open Source Society was stunned when security researchers discovered “XZ Disabled”, a piece of malicious code, in upstream of the XZ-Nutils releases 5.6.0 and 5.6.1 (Liblzma.so Library), which is briefly spread to some Linux-Distro packages (not their stable releases). The back door was deployed by a developer named ‘Jia Tan’, who for the two years until the moment built considerable credibility in society through various contributions.
Debian, Fedora and others
Now, Binarly security researchers have said that malicious XZ-Utils packages containing the back door were distributed in certain branches of several Linux distributions, including Debian, Fedora and Opensuse.
“This had serious consequences for the software supply chain as it became challenging to quickly identify all the places where the back -covered library was included.” “This had serious consequences for the software supply chain as it became challenging to quickly identify all the places where the back -covered library was included.”
Binar light experts now say that several Docker images built around the compromise time also contain the back door. It says that at first glance it may not seem alarming, since if the distribution packages were back death, all the Docker images based on them would also be back -do.
However, the researchers said some of the compromised images are still available at the Docker Hub, and were even used to build other images that have also become transitively infected. Binarly said it found “only” 35 images because it focused exclusively on Debian pictures:
“The effect on Docker images from Fedora, OpenSuse and other distributions affected by the XZ UNDS -BAG door remains unknown at this time.”
Debian said it would not remove the malicious images as they are still outdated and should not be used. They will be left as “historical artifacts”.
Via Bleeping computer
