Full Report
The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk. [...]
Analysis Summary
# Vulnerability: Persistent Risk: XZ-Utils Backdoor Found in Docker Hub Images
## CVE Details
- CVE ID: Not explicitly provided in the summary, the vulnerability relates to the widespread XZ-Utils backdoor vulnerability (often referred to in connection with CVE-2024-3094, though not confirmed by this snippet).
- CVSS Score: Not provided based on this summary.
- CWE: Not explicitly provided in the summary.
## Affected Systems
- Products: Linux Images hosted on Docker Hub, specifically those built using compromised versions of XZ-Utils.
- Versions: Any image using the backdoored version of XZ-Utils (typically versions prior to the patched versions, though the specific vulnerable range is implied by the context of the XZ backdoor discussion, usually XZ Utils 5.6.0 through 5.6.1).
- Configurations: Containers/systems where these compromised images are pulled and run, particularly those running SSH services accessible over the network.
## Vulnerability Description
The vulnerability is a backdoor secretly introduced into the XZ compression utility (xz-utils). This backdoor mechanism could potentially allow remote attackers to compromise systems that utilize the compromised library, particularly by interacting with SSH services (sshd) due to complex trigger logic embedded in the malicious code capable of manipulating OpenSSH authentication.
## Exploitation
- Status: The article implies the existence of the vulnerability but focuses on its persistence in container images, not mass exploitation in the wild *through these specific Docker images* yet. The associated XZ backdoor vulnerability is known to have PoC/exploit potential.
- Complexity: Unknown based on this summary, but the underlying XZ backdoor exploitation is generally considered complex, requiring very specific circumstances (e.g., presence of sshd, network accessibility, specific key matches).
- Attack Vector: Network (implied, via vulnerable SSH services in the container).
## Impact
- Confidentiality: Potentially High (Remote code execution leading to data leakage).
- Integrity: Potentially High (Remote code execution leading to system manipulation).
- Availability: Potentially Medium/High (System compromise/denial of service).
## Remediation
### Patches
The latest stable version mentioned for XZ-Utils is 5.8.1. Users should ensure they are running updated versions of XZ-Utils, specifically **version 5.6.2 or later**.
- For official Debian images, users must use up-to-date images sourced correctly per vendor instructions.
### Workarounds
- Users should *only* use up-to-date images from Docker Hub and avoid using old, unpatched images.
- Ensure that if running these containers, the requirement conditions for exploitation are minimized (e.g., restricting network access to SSH ports within the container if sshd is running).
## Detection
- Indicators of Compromise: Indicators are related to the specific behavior of the XZ backdoor within `liblzma.so` or related binaries.
- Detection Methods and Tools: Security tools and frameworks (like those from Kaspersky, mentioned indirectly) can scan Linux systems and dependent open-source software builds for known indicators of the compromised XZ-Utils package. Users should check the running version of XZ-Utils on their hosts and within their running containers.
## References
- Vendor Advisories: Debian maintainer response regarding artifact retention (github com/debuerreotype/docker-debian-artifacts/issues/246)
- Relevant Links:
- Binarly report detail (binarly io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images)