How the Backdoor Works
The XZ-Utils backdoor hijacks the RSA_public_decrypt function in OpenSSH via glibc’s IFUNC mechanism.
If an attacker with a special private key connects over SSH to an affected system, they can bypass authentication and execute commands as root.
The malicious code was introduced by a long-time project contributor, “Jia Tan”, and shipped in official packages for Debian, Fedora, OpenSUSE, and Red Hat. This incident is considered one of the most severe open-source supply chain compromises of 2024.
Debian’s Controversial Response
Despite the discovery, Debian maintainers chose not to remove the affected Docker images. They argue that:
- Exploitation would require sshd to be installed and running in the container.
- The attacker must have network access to the container’s SSH service.
- The attacker must possess the specific private key triggering the backdoor.
Debian maintains these images for archival purposes and advises users to only pull up-to-date images.
Debian maintainer’s response
Source: Binarly