- Xz-Utils Backdoor was found more than a year ago
- Despite the warnings, some Linux images still contain it
- Debian will not move since the images are “historical artifacts”
At least 35 images of Linux housed in Docker Hub contain dangerous rear door malware, which could put software developers and their products at risk of acquisition, data theft, ransomware and more.
However, at least some of the images will remain on the site and will not be removed, since they are outdated anyway and should not be used.
In March 2024, the open source community was surprised when security investigators saw “XZ Users”, a piece of malicious code, in the XZ-Utils launches upstream 5.6.0 and 5.6.1 (the Liblzma Library. The rear door was inserted by a developer called ‘Jia so’ who, in the two years prior to that moment, created a significant credibility in the community through various contributions.
Debian, Fedora and others
Now, Binarly security researchers have said that the malicious XZ-Utils packages containing the rear door were distributed in certain branches of several Linux distributions, including Debian, Fedora and Opensuse.
“This had serious implications for the software supply chain, since it became difficult to quickly identify all the places where the rear library had been included.” “This had serious implications for the software supply chain, since it became difficult to quickly identify all the places where the rear library had been included.”
Binarly experts now say that several Docker images, built at the time of the commitment, also contain the back door. He says that at first glance, he may not seem alarming since if the distribution packages were rear, then any image of Docker based on them would also be rear.
However, the researchers said that some of the compromised images are still available in Docker Hub, and were even used in the construction of other images that have also been transitively infected. Binarly said he found “only” 35 images because he focused only on the images of Debian:
“The impact on Fedora’s Docker images, Opensuse, and other distributions that were affected by the XZ Useful Backdoor is still unknown at this time.”
Debian said he would not eliminate malicious images, since they are outdated anyway and that they should not be used. They will be left as “historical artifacts.”
Through Bleepingcomputer
