A Microsoft developer has found a backdoor in a software package of a compression library widely used in Linux systems that could have resulted in a massive software supply chain attack.
The author of the backdoor was a maintainer of the open source library and had spent years developing the software compromise.
How the XZ Utils Backdoor Was Found
On March 28, Andres Freund, a principal software engineer at Microsoft and one of the developers of PostgreSQL, found a vulnerability in liblzma, a software package part of XZ Utils, a library for compressing and decompressing files on computers, especially in Linux systems.
Freund noticed failing Secure Shell (SSH) logins using a substantial amount of Computing Processing Unit (CPU), along with a longer than usual delay of 500ms on his SSH session.
This led him to realize that a significant amount of CPU time was being consumed by liblzma. Upon further investigation, he found a remote code execution (RCE) vulnerability in the liblzma software package.
This backdoor allowed remote attackers to bypass SSHD authentication and gain complete access to an affected system.
No tags.
