XZ Utils Backdoor Still Lurking in Docker Images
5 days ago
- #Docker-Security
- #XZ-Utils-Backdoor
- #Supply-Chain-Attack
- Discovery of the XZ Utils backdoor in March last year shocked the cybersecurity community.
- The backdoor was embedded in the liblzma.so library, affecting OpenSSH server interactions.
- Malicious xz-utils packages were distributed by major Linux distributions like Debian, Fedora, and OpenSUSE.
- Binarly released XZ.fail, a tool to detect suspicious IFUNC resolvers with minimal false positives.
- New findings reveal that several Docker images built during the compromise still contain the backdoor.
- Over 35 Docker images were identified with the backdoor, some still publicly available on Docker Hub.
- The backdoor can propagate through Docker images, affecting second-order and potentially third-order images.
- Binarly notified Debian maintainers, but affected images remain, posing a security risk.
- The incident highlights the persistence of backdoored builds in container registries.
- Binarly Transparency Platform offers tools to detect and remediate threats like IFUNC-based hooking.
- Recent addition to the platform includes YARA rules integration for scanning software portfolios.