A new study discovered Docker Images from Docker Hub, and images containing the infamous XZ Utils backdoor.
Even more troublesome is the fact that other images are constructed on top of these infected basic images, effectively transmitting infections transitively, Binarly Research says in a report shared with Hacker News.
The firmware security company said it had discovered a total of 35 images to ship along with the backdoor. The incident once again highlights the risks faced by the software supply chain.
The XZ UTILS supply chain event (CVE-2024-3094, CVSS score: 10.0) was revealed in late March 2024 when Andres Freund alarmed the backdoor embedded in XZ Utils versions 5.6.0 and 5.6.1.
Further analysis of malicious code and broader compromises has led to some surprising discoveries. First of all, the backdoor can lead to unauthorized remote access, allowing the execution of any payload via SSH.
Specifically, the backdoors located in the Liblzma.so library and used by OpenSSH servers are designed to be triggered when a client interacts with an infected SSH server.
By hijacking the RSA_Public_Decrypt function using GLIBC’s IFUNC mechanism, malicious code allowed an attacker who owns a particular private key to bypass authentication and execute the root command remotely,” explained Binarly.
The second discovery was that the change was pushed by a developer named “Jia Tan” (Jiat75). He has contributed to open source projects for almost two years, building trust until he is given the responsibility of the maintainer, demonstrating the meticulous nature of the attack.
“It was clearly a very complicated state-sponsored operation, with impressive refinement and multi-year plans,” Binary said at the time. “This complex, professionally designed comprehensive porting framework has not been developed for one-shot operations.”
The company’s latest research shows that the impact of the incident continues to send aftershocks through the open force ecosystem, even after all these months.
This includes discovering 12 Debian Docker images, including one of the XZ UTILS backdoors, and another set of secondary images, including compromised Debian images.
Binarly said he reported the base image to the Debian maintainer. He said he made a deliberate choice to make these artifacts available as historical curiosity.
However, the company noted that leaving publicly available Docker images, including backdoors that can reach potential networks, is a serious security risk despite the criteria necessary for successful exploitation: the need to access networks to infected devices by running SSH services.
“The XZ-UTILS backdoor incident shows that even short-lived malicious code can be propagated to the Docker ecosystem without being noticed in official container images for a long time,” he added.
“The delay highlights how these artifacts quietly persist and propagate through the CI pipeline and container ecosystem, reinforcing the critical need for continuous binary level monitoring beyond simple version tracking.”
Source link
