News Minimalist logo

Backdoor in XZ Utils poses security risk in Linux

Nextgov/FCW April 1, 2024, 05:00 PM UTC

Summary: CISA warns of a backdoor in XZ Utils, a Linux file compression tool, potentially allowing system access. Red Hat confirms the vulnerability affects certain beta Linux versions. Microsoft engineer discovers the flaw. Malicious code introduced by a long-time XZ contributor. CISA advises downgrading to secure versions. GitHub investigates exploit repository closure. Suspicions of nation-state involvement prompt FBI and NSA investigation. Open-source tool security debates reignite.

Full article

Article metrics

The article metrics are deprecated.

I'm replacing the original 8-factor scoring system with a new and improved one. It doesn't use the original factors and gives much better significance scores.

Timeline:

  1. [5.6]
    Volunteer engineer finds cybersecurity threat in XZ Utils (The Japan Times)
    151d 16h

    ScoresSource
  2. [5.5]
    XZ Utils backdoored for covert SSH access on Linux (Help Net Security)
    152d 12h

    ScoresSource
  3. [5.6]
    Malicious code found in XZ Utils on Good Friday (The Guardian)
    154d 10h

    ScoresSource
  4. [6.6]
    Andres Freund prevented cybersecurity breach in XZ Utils software (The Hindu)
    154d 20h

    ScoresSource
  5. [5.6]
    Andres Freund uncovers sabotage in XZ Utils, preventing crisis (The Japan Times)
    155d 0h

    ScoresSource
  6. [6.1]
    Backdoor discovered in XZ Utils by Microsoft developer (The Intercept)
    157d 2h

    ScoresSource
  7. [5.9]
    Free online scanner detects XZ Utils backdoor in Linux (TechRadar)
    157d 9h

    ScoresSource
  8. [6.2]
    Linux narrowly avoided cyber attack from XZ Utils backdoor (The Verge)
    158d 1h

    ScoresSource
  9. [5.7]
    Supply chain attack targets XZ Utils in Linux distributions (Cybersecurity Dive)
    158d 3h

    ScoresSource
  10. [7.2]
    Backdoor in XZ Utils allows unauthorized root access (WIRED)
    158d 16h

    ScoresSource
  11. [5.8]
    Critical Linux vulnerability; update XZ Utils before 5.6.0 (IT World Canada)
    159d 13h

    ScoresSource
  12. [5.9]
    Backdoor found in xz Utils for Linux systems (Ars Technica)
    159d 18h

    ScoresSource
  13. [6.3]
    Critical xz package vulnerability discovered on Debian, CVE-2024-3094 (TechRadar)
    160d 4h

    ScoresSource
  14. [5.9]
    XZ Utils compromised by maintainer "Jia Tan." (Help Net Security)
    160d 6h

    ScoresSource
  15. [6.6]
    Critical XZ Utils vulnerability allows unauthorized system access (Help Net Security)
    160d 17h

    ScoresSource
  16. [5.9]
    Critical security flaw in xz-utils threatens Linux and macOS (Security Boulevard)
    160d 20h

    ScoresSource
  17. [5.5]
    Malicious code in xz libraries poses security threat (The New Stack)
    161d 6h

    ScoresSource
  18. [4.3]
    Backdoor in xz compression utility version 5.6.0 discovered (SC Media)
    162d 1h
    Source
  19. [4.1]
    Backdoor found in xz Utils 5.6.0/5.6.1, affecting Linux distributions (Ars Technica)
    162d 5h
    Source
  20. [6.1]
    Critical XZ Utils vulnerability (CVE-2024-3094) compromises Linux systems (Help Net Security)
    162d 7h

    ScoresSource