XZ Utils Backdoor Still Lurking in Docker Images

Summary

By Binarly REsearchAt the end of March last year, the entire cybersecurity community was rocked by the discovery of the infamous XZ Utils backdoor. ‘Jia Tan’, a developer who had spent two years building significant credibility in the project through numerous contributions, inserted a sophisticated backdoor into the xz-utils packages. The discovery sent cybersecurity experts, including the Binarly REsearch team, scrambling to reverse engineer the backdoor to understand its scope and potential impact. In short, the backdoor was embedded in the liblzma.so library, which is used by the OpenSSH server, and is triggered when a client interacts with the infected SSH server. The final goal of the malicious code is to install three hooks in the context of sshd process, targeting the RSA_public_decrypt, RSA_get0_key, and EVP_PKEY_set1_RSA functions, thereby enabling backdoor functionality. This is achieved through a sophisticated sequence of hooks, initiated by modified IFUNC resolvers for lzma_crc32 and lzma_crc64 in the liblzma.so library. Last year, we released a comprehensive analysis detailing the hook chain and the backdoor’s functionality.What really stood out in this story is that the backdoor’s impact wasn’t just theoretical, as malicious xz-utils packages containing the backdoor were distributed by several major Linux distributions, including Debian, Fedora and OpenSUSE. This had serious implications for the software supply chain, as it became challenging to quickly identify all the places where the backdoored library had been included. Within 24 hours, Binarly released XZ.fail, a free static analysis-based tool designed to detect suspicious IFUNC resolvers with near-zero false positives.In this blog, we share a new finding in the XZ Utils saga: several Docker images built around the time of the compromise contain the backdoor. At first glance, this might not seem alarming: if the distribution packages were backdoored, then any Docker images based on them would be ...