Investigation of performance failures Linux has revealed a back door in the most recent versions of the xz Utils tool with which a malicious actor sought to gain full control of the affected systems.
Developer Andres Freund detected abnormal performance on his Debian system with the SSH remote login protocol, as it was consuming too many CPU resources, which in turn caused the Valgrind memory debugging tool to crash.
While investigating the cause of this issue, the developer discovered a backdoor that a malicious actor or group had implanted in a recent update of xz, a lossless compression tool widely used in Linux.
The malicious code found was designed to impact SSH functions and execute with root privileges, that is, the malicious actor obtained the encryption key to log in with SSH on the infected computer, thus obtaining remote control throughout the system.
Although it is not known who is behind it, security researchers point to the possibility that it is a user known as JiaT575 or Jia Tan, as reported on the Deepfactor blog and the specialized media Ars Technica. This actor made his first ‘commit’ in 2021, a change in the libarchive project, and a year later started getting involved in xz Utils and sending out patches and updates.
The rear door is located in versions 5.6.0 and 5.6.1, the most recent ones from xz Utils, and for this reason Red Hat, one of the companies that work with Linux, has urged users not to update or, if they have done so, to return to a version previous to the affected ones.