In February 2024, Tan issued commits for versions 5.6.0 and 5.6.1 of XZ Utils, both of which contained the backdoor. In the months that followed, Tan became increasingly involved in XZ Utils and became co-maintainer of the project. To add to the confusion, Jian’s nickname is JiaT75.) It’s clear that my resources are too limited (thus the many emails waiting for replies) so something has to change in the long term.” (Collin wrote Jia in his message while other messages reference Jian. Meanwhile, Collin expressed that “Jia Tan has helped me off-list with XZ Utils and he might have a bigger role in the future at least with XZ Utils. “Why wait until 5.4.0 to change maintainer? Why delay what your repo needs?” “Progress will not happen until there is new maintainer,” Jigar Kumar wrote. Another unknown user, Jigar Kumar, came into the discussion two times to pressure the main developer of XZ Utils, Lasse Collin, to add a maintainer to the project. In May 2022, an unknown user using the fake name Dennis Ens complained on the XZ mailing list that the software update was not satisfying. Tan contributed frequently to the XZ project since late 2021, slowly building trust in the community. In 2021, a developer named Jian Tan, username JiaT75, appeared out of the blue to start working on the XZ Utils code, which is not unusual because developers of free software often work together on updating code. Yet it appears that the implementation of the backdoor has been a very quiet process that took about two years. Freund explained that the discovery of the backdoor in XZ was luck, as it “really required a lot of coincidences.” He found it when he became interested in odd behavior of a Debian sid installation, such as SSH logins taking a lot of CPU and Valgrind errors and decided to analyze the symptoms in depth. On March 29, 2024, Microsoft software engineer Andres Freund reported the discovery of the backdoor. How the XZ backdoor was implemented cautiously for more than years Only XZ Utils versions 5.6.0 and 5.6.1 are impacted. The backdoor enabled an attacker to execute remote code via an SSH login certificate. The CVE-2024-3094 backdoor found in XZ Utils was implemented to interfere with authentication in SSHD, the OpenSSH server software that handles SSH connections. XZ Utils is used by many operations on those systems for compressing and decompressing data. XZ Utils and its underlying library liblzma is a free software tool that implements both XZ and LZMA, which are two compression/decompression algorithms widely used in Unix-based systems, including Linux systems. What is XZ Utils, and what is the XZ backdoor? Several security experts believe this supply chain attack might be state sponsored. The threat actor is suspected to be a developer with or using the name Jian Tan. The backdoor was discovered a few days before being released on several Linux systems worldwide. The attacker slowly managed to integrate a backdoor in the software that was designed to interfere with SSHD and allow remote code execution via an SSH login certificate. to change.Read about a supply chain attack that involves XZ Utils, a data compressor widely used in Linux systems, and learn how to protect from this threat.Ī threat actor quietly spent the last two years integrating themself in the core team of maintainers of XZ Utils, a free software command-line data compressor widely used in Linux systems. Offer not available to DIRECTV and U-verse TV customers switching to DIRECTV via Internet. Online account registration may be required. Access Max only through Max app or max.com. ![]() each for Cinemax and STARZ, and $5.99/mo. for Max, $11.99/mo for Paramount+ with SHOWTIME, $10.99/mo. not timely returned.Ģ Max, Paramount+ with SHOWTIME, STARZ, MGM+ and Cinemax are included for 3 months and auto-renew monthly thereafter at then-prevailing rates (currently $15.99/mo. Satellite customers are subject to equipment non-return fee(s) if equip. No Locals package available in certain markets.ġFirst device available for well-qualified customers. Device may need to be in billing region in order to view local channels. §Local channels may not be available in all areas. $19.95 activation applies for satellite customers. Early agmt termination fee applies ($20/mo.) & add’l fee(s) may apply if equip. ![]() ![]() Equipment lease req’d in most sales channels. Add’l fees may apply to non-qualified customers. *New approved residential customers, price incl.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |