There is a popular compression algorithm called XZ. And it seams that somebody were able to sneak malicious code into that project. Among other they hid their code as test data. This code does nothing unless it is running as part of SSH. SSH (Secure SHell) allows administrators to log into remote servers and is obviously a very well protected project which is how this backdoor was discovered. By default OpenSSH does not include XZ but a lot of Linux distributions like Debian and RedHat modifies OpenSSH to work better with SystemD, a service manager. And these modifications require XZ to be included which pulls the malicious code into the SSH server process. Once in the process it modifies the code that does authentication. It might therefore be able for this person who added this code to the XZ library to log into most Linux servers.
Fortunately this was discovered before the malicious code got deployed to any major production systems. It was very well hidden but a few mistake ended up getting discovered in the test version of Debian. This would be scheduled to be release some time in 2025. The backdoor was included in Fedora 41 which is a desktop variant of RedHat and therefore includes newer versions of packages. It might have affected the RedHat release which probably comes in 2025 as well. So there are very few Linux servers affected by this attack at all.
Latest Answers