Is your XZ/SSH Security Library Compromised? How to Check for Recent Backdoor

Recently the common XZ library had a major backdoor found – by its own contributor. You can read about the recent discovery on OpenSSF. What does this say about the common advice to “always update the latest updates”? And how many times have things like this happened in the past?

Checking your computer/server

To see if your xz version is the affected 5.6 backdoor, you can run in the terminal “xz –version”:

xz --version
xz (XZ Utils) 5.2.5
liblzma 5.2.5

In all likelihood – unless you are on a very recent Arch Linux or prerelease version that updates often – you will not be on the affected version. As the article states, they have “not yet widely been integrated by Linux distributions”

One common feature of Debian/Ubuntu and other distributions is that they will not generally update newer major versions within the same distribution. If you upgrade a newer OS version all of the latest versions of packages will be updated to later versions.

Digging deeper

A full analysis can be found in the original mailing list here, which outlines several complicated steps added in to the shell scripts and build process in order to add in some backdoor in recent version. It is concerning that other similar vulnerabilities may exist, considering how this was found by accident by a Microsoft researcher.

Previous history

Has something like this happened before? Yes:

Remember when numerous sites on WordPress 4.7 were attacked/hacked due to their new REST api? Any WordPress sites with older versions could not be affected if they did not have the newer REST features.

Conclusion

Both WordPress and Debian/Ubuntu will do minor updates with minor security updates, which is good for security – sometimes updating to the latest version is actually worse…

When upgrading software it is always good to consider what has been added or removed – do additional features add more scope and bigger attack surface – or are there new security features? or, both?

Leave a Reply

Your email address will not be published. Required fields are marked *

÷ 3 = one