Back Doored SSH Tunnel Threatens Software Supply Chain
- Anup Ghosh
- Mar 31, 2024
- 2 min read
The Download
An open source developer discovered the presence of a backdoor in the popular Linux compression utility known as xz Utils. The backdoor was introduced into the open source distribution on Feb 23rd. Remarkably, the backdoor was discovered while the utility's primary developer was performing micro-benchmarking tests on the code. The developer discovered some anomalous timing delays that caused him to further investigate what was causing the delays, subsequently leading to the discovery of the back-doored SSHd code.
The backdoor into SSH allows unauthorized parties to gain access to the encrypted tunnels which provide end-to-end encrypted traffic between sender and receiver. Fortunately, the backdoor was caught in pre-release experimental versions before it was pushed to major Linux distributions including Red hat Fedora and Debian, which would have caused widespread compromise.
The perpertrator of the backdoor code, which was introduced in xz Utils v5.6.0 and 5.6.1, was one of two main developers of the xz Utils over the last two years. The perpetrator urged the major Linux distributions to push the code into production. Fortunately, the code has been rolled back. However, with the developer in question having spent two years on the project, there are now questions as to whether any of the other portions of the code base have been compromised.
What You Can Do
Unless you have downloaded xz Utils 5.6.0 or 5.6.1 ahead of the release versions, you are probably fine and need not do anything. However, it is worth noting that the software supply chain itself can be compromised by malicious code. We saw this with SolarWinds. Once a popular core utility has been compromised, the effects can be far reaching. We may have dodged a bullet on this one, or we may find other portions of the code base have been compromised.
What you will need to know at all times is your asset inventory including what software and versions you are running, in order to be prepared to patch or roll back to prior versions. ThreatMate provides detailed software inventory management for your systems.
To Learn More:
