News Minimalist logo

Backdoor found in xz Utils for Linux systems

Ars Technica April 1, 2024, 08:00 AM UTC

Summary: Researchers discovered a backdoor in xz Utils, a widely used data compression utility in Linux. The malicious code, present in versions 5.6.0 and 5.6.1, allowed unauthorized access with root privileges over SSH. The attack was sophisticated, involving years of planning and manipulation of the software's development process. The backdoor targeted Debian and Red Hat distributions on amd64 systems running glibc. Multiple distributions unknowingly included the compromised versions.

Full article

Article metrics

The article metrics are deprecated.

I'm replacing the original 8-factor scoring system with a new and improved one. It doesn't use the original factors and gives much better significance scores.

Timeline:

  1. [5.6]
    Volunteer engineer finds cybersecurity threat in XZ Utils (The Japan Times)
    151d 16h

    ScoresSource
  2. [5.5]
    XZ Utils backdoored for covert SSH access on Linux (Help Net Security)
    152d 12h

    ScoresSource
  3. [5.6]
    Malicious code found in XZ Utils on Good Friday (The Guardian)
    154d 10h

    ScoresSource
  4. [6.6]
    Andres Freund prevented cybersecurity breach in XZ Utils software (The Hindu)
    154d 20h

    ScoresSource
  5. [5.6]
    Andres Freund uncovers sabotage in XZ Utils, preventing crisis (The Japan Times)
    155d 0h

    ScoresSource
  6. [6.1]
    Backdoor discovered in XZ Utils by Microsoft developer (The Intercept)
    157d 2h

    ScoresSource
  7. [5.9]
    Free online scanner detects XZ Utils backdoor in Linux (TechRadar)
    157d 9h

    ScoresSource
  8. [6.2]
    Linux narrowly avoided cyber attack from XZ Utils backdoor (The Verge)
    158d 1h

    ScoresSource
  9. [5.7]
    Supply chain attack targets XZ Utils in Linux distributions (Cybersecurity Dive)
    158d 3h

    ScoresSource
  10. [7.2]
    Backdoor in XZ Utils allows unauthorized root access (WIRED)
    158d 16h

    ScoresSource
  11. [5.9]
    Backdoor in XZ Utils poses security risk in Linux (Nextgov/FCW)
    159d 9h

    ScoresSource
  12. [5.8]
    Critical Linux vulnerability; update XZ Utils before 5.6.0 (IT World Canada)
    159d 13h

    ScoresSource
  13. [6.3]
    Critical xz package vulnerability discovered on Debian, CVE-2024-3094 (TechRadar)
    160d 4h

    ScoresSource
  14. [5.9]
    XZ Utils compromised by maintainer "Jia Tan." (Help Net Security)
    160d 6h

    ScoresSource
  15. [6.6]
    Critical XZ Utils vulnerability allows unauthorized system access (Help Net Security)
    160d 17h

    ScoresSource
  16. [5.9]
    Critical security flaw in xz-utils threatens Linux and macOS (Security Boulevard)
    160d 20h

    ScoresSource
  17. [5.5]
    Malicious code in xz libraries poses security threat (The New Stack)
    161d 6h

    ScoresSource
  18. [4.3]
    Backdoor in xz compression utility version 5.6.0 discovered (SC Media)
    162d 1h
    Source
  19. [4.1]
    Backdoor found in xz Utils 5.6.0/5.6.1, affecting Linux distributions (Ars Technica)
    162d 5h
    Source
  20. [6.1]
    Critical XZ Utils vulnerability (CVE-2024-3094) compromises Linux systems (Help Net Security)
    162d 7h

    ScoresSource