March 2024 - XZ+SSH backdoor

Posted on 2024-04-01 01:03:03 UTC

Hello,

If you haven't updated your linux systems recently, I would strongly advise you to go do so now.

At the beginning of the Easter weekend, it was discovered that malicious code had been implanted into the XZ source code.  While the entire code hasn't been fully audited (including when it is bundled with other applications like SSH), it has been noted that when built on Fedora and Debian systems, using glibc and systemd, that a SSH backdoor was present.

Not much is known about the intentions of this code being present in the XZ code, and groups are currently trying to piece everything together.  It may also affect other uses of XZ, but that will need to be fully investigated.  This may take some time to fully grasp what the resultant code does and why.  

NUBI did detect a spike in SSH traffic earlier in the week.  At the time there was no public knowledge of the XZ backdoor, so this appeared to be regular background noise.



Until we have more information about the backdoor, it is recommended to update your systems and consult your distribution maintainers for any other mitigation steps that you may want to take.

Stay safe and thank you for using NUBI.