News Minimalist logo

Backdoor in XZ Utils allows unauthorized root access

WIRED April 2, 2024, 10:00 AM UTC

Summary: A backdoor was discovered in XZ Utils, a widely used data compression utility on Linux systems. Malicious code in versions 5.6.0 and 5.6.1 allowed unauthorized access with root privileges. The backdoor was part of a sophisticated supply chain attack, with the perpetrator, Jia Tan, infiltrating the project over years. The backdoor enabled the execution of malicious commands through SSH. The incident was described as a nightmare scenario by experts.

Full article

Article metrics

The article metrics are deprecated.

I'm replacing the original 8-factor scoring system with a new and improved one. It doesn't use the original factors and gives much better significance scores.

Timeline:

  1. [5.6]
    Volunteer engineer finds cybersecurity threat in XZ Utils (The Japan Times)
    109d

    ScoresSource
  2. [5.5]
    XZ Utils backdoored for covert SSH access on Linux (Help Net Security)
    110d

    ScoresSource
  3. [5.6]
    Malicious code found in XZ Utils on Good Friday (The Guardian)
    112d

    ScoresSource
  4. [6.6]
    Andres Freund prevented cybersecurity breach in XZ Utils software (The Hindu)
    112d

    ScoresSource
  5. [5.6]
    Andres Freund uncovers sabotage in XZ Utils, preventing crisis (The Japan Times)
    112d

    ScoresSource
  6. [6.1]
    Backdoor discovered in XZ Utils by Microsoft developer (The Intercept)
    114d

    ScoresSource
  7. [5.9]
    Free online scanner detects XZ Utils backdoor in Linux (TechRadar)
    115d

    ScoresSource
  8. [6.2]
    Linux narrowly avoided cyber attack from XZ Utils backdoor (The Verge)
    115d

    ScoresSource
  9. [5.7]
    Supply chain attack targets XZ Utils in Linux distributions (Cybersecurity Dive)
    115d

    ScoresSource
  10. [5.9]
    Backdoor in XZ Utils poses security risk in Linux (Nextgov/FCW)
    117d

    ScoresSource
  11. [5.8]
    Critical Linux vulnerability; update XZ Utils before 5.6.0 (IT World Canada)
    117d

    ScoresSource
  12. [5.9]
    Backdoor found in xz Utils for Linux systems (Ars Technica)
    117d

    ScoresSource
  13. [6.3]
    Critical xz package vulnerability discovered on Debian, CVE-2024-3094 (TechRadar)
    117d

    ScoresSource
  14. [5.9]
    XZ Utils compromised by maintainer "Jia Tan." (Help Net Security)
    118d

    ScoresSource
  15. [6.6]
    Critical XZ Utils vulnerability allows unauthorized system access (Help Net Security)
    118d

    ScoresSource
  16. [5.9]
    Critical security flaw in xz-utils threatens Linux and macOS (Security Boulevard)
    118d

    ScoresSource
  17. [5.5]
    Malicious code in xz libraries poses security threat (The New Stack)
    119d

    ScoresSource
  18. [4.3]
    Backdoor in xz compression utility version 5.6.0 discovered (SC Media)
    119d
    Source
  19. [4.1]
    Backdoor found in xz Utils 5.6.0/5.6.1, affecting Linux distributions (Ars Technica)
    120d
    Source
  20. [6.1]
    Critical XZ Utils vulnerability (CVE-2024-3094) compromises Linux systems (Help Net Security)
    120d

    ScoresSource