Malicious XZ Attack Planned for Years
The malicious code recently discovered in versions 5.6.0 and 5.6.1 of XZ Utils “appears to be the product of a carefully crafted supply chain attack that took several years to set up,” reports Lindsey O’Donnell-Welch.
“xz is a general purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions, according to the Red Hat security alert issued March 29.
The code (CVE-2024-3094), found by Microsoft software engineer Andres Freund, could allow attackers to break sshd authentication and gain unauthorized access to impacted systems.
“It's hard to overstate the complexity of the social engineering and the inner workings of the backdoor,” notes Dan Goodin. But this graphic from Thomas Roccia helps visualize the extent of the efforts.
Read more at Duo Decipher and Ars Technica.