BSI warns of “XZ Utils”
Huge security flaw discovered in Linux operating system
This audio version was artificially generated. More info | Send feedback
In Linux, the code was manipulated in the software tool “XZ Utils”. One expert calls it the “most effective backdoor” that “has ever been built into a software product.” Now the system administrators have to do some homework.
After uncovering a potential cyber attack on countless Internet servers, the Federal Office for Information Security (BSI) asked IT managers to take countermeasures. In an official security warning, the BSI spoke of a “critical backdoor” in the Linux operating system that had to be closed.
The security hole, which was introduced at great expense, was discovered before Easter by German software engineer Andres Freund, who works for Microsoft in the USA. The 38-year-old database expert noticed that a so-called remote login to a Linux computer suddenly required more computing power and an inexplicable delay of 500 milliseconds occurred.
After an extensive search, Freund discovered manipulations in the software tool “XZ Utils”, an open source project for data compression used by many Linux variants, which had been maintained as a hobby by a single volunteer for many years. The manipulated “XZ Utils” could have been “the most widespread and effective backdoor ever built into a software product,” said renowned security expert Alex Stamos, former head of security at Facebook.
Security warning for versions 5.6.0 and 5.6.1
The backdoor would have been widely used since the Linux remote control software SSH also uses the compression tool. The New York Times compared the German software expert to a bakery worker who “smells a piece of freshly baked bread and senses that something is wrong and concludes that someone has tampered with the entire world's yeast supply.” It had previously become known that a cybercriminal using the pseudonym “Jia Tan” had spent months infiltrating the trust of the legitimate programmer of the affected software tool in order to then carry out manipulations in the software code.
The BSI now asked system administrators to check whether a manipulated version of “XZ Utils” is being installed on their Linux systems. The security warning specifically refers to versions 5.6.0 and 5.6.1 of the tools. The Bonn authority classified the IT threat situation as “business-critical” and warned of a “massive disruption to regular operations”.