Investigators have identified XZ Utils backdoor embedded in Docker Hub images

Recent research has revealed the presence of Docker images on Docker Hub that contain the notorious XZ Utils backdoor, more than a year after the initial discovery of the incident. Binarly Research reported that 35 images were found to ship with the backdoor, raising concerns about the risks associated with the software supply chain. The XZ Utils supply chain event, identified as CVE-2024-3094 with a CVSS score of 10.0, was first reported in late March 2024 by Andres Freund. The backdoor, embedded in XZ Utils versions 5.6.0 and 5.6.1, allows for unauthorized remote access and the execution of arbitrary payloads through SSH. Specifically, the malicious code, located in the liblzma.so library, activates when a client interacts with the compromised SSH server, enabling attackers to bypass authentication and execute root commands remotely.

Further analysis revealed that the changes were introduced by a developer named Jia Tan (JiaT75), who had contributed to the open-source project for nearly two years before gaining maintainer privileges. This meticulous approach suggests a highly sophisticated and complex state-sponsored operation, as noted by Binarly. The ongoing impact of this incident continues to reverberate through the open-source ecosystem, with the discovery of 12 Debian Docker images containing the XZ Utils backdoor, along with additional second-order images built on these compromised bases. Binarly reported these findings to the Debian maintainers, who opted to keep the affected images available as historical artifacts, citing the unlikely conditions required for exploitation. However, Binarly cautioned that maintaining publicly accessible Docker images with a potential network-reachable backdoor poses significant security risks, despite the specific criteria needed for successful exploitation.