XZ Utils Backdoor Still Lurking in Docker Images

https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images

53•torgoguys•2h ago

Comments

LeoPanthera•1h ago

Devs should consider migrating from xz to lzip, which is an improved LZMA container in multiple ways:

https://www.nongnu.org/lzip/xz_inadequate.html

Analemma_•1h ago

That might be true but it’s not really relevant to this post: stale Docker images with vulnerabilities lingering on DockerHub can happen to any software package.

lifthrasiir•1h ago

Not only it is irrelevant in the context of Docker images, but also lzip is not that superior to xz; the linked post only covers minor concerns and both lzip and xz are substantially simpler than the actual meat---LZMA bitstream format.

dima55•1h ago

Important nitpick: this wasn't reported to the "Debian maintainers". In DEBIAN this was fixed long ago. The problem persists and was reported to people that work with Docker images, which is primarily people that don't want to use Debian the normal way, and don't benefit from many of the Debian niceties.

jchw•1h ago

The summary of what they did on the page is largely accurate. I mean, the repository on GitHub that cooks the official Docker Debian images is indeed primarily maintained by a Debian maintainer who is a member of many different Debian teams, even if it is not an official artifact of Debian. And the problem is fixed in Docker, too, but it sounds like the issue is that they'd like the old Docker images with the backdoored packages to be removed.

And sure, you definitely lose some niceties of Debian when you run it under Docker. You also lose some niceties of Docker when you don't.

jchw•1h ago

I'm not saying this isn't an issue, but I do wonder how many of these containers that contain the backdoor can feasibly trigger it. Wouldn't you need to run OpenSSH in the container? It's not unheard of, but it's atypical.

sugarpimpdorsey•1h ago

Most Docker images have zero security anyway. Who cares if someone has a key to the back door when the front door and garage are unlocked (and running as root of course)?

creatonez•1h ago

This headline is so egregiously sensationalist.

The XZ backdoor never made it to Debian stable. It is "still lurking in docker images" because Debian publishes unstable testing images, under a tag that is segregated from the stable release tags. You can find vulnerable containers for literally any vulnerability you can imagine by searching for the exact snapshot where things went wrong.

And then downstream projects, if they choose to, can grab those images and create derivatives.

Basing your images on an experimental testing version of Debian and then never updating it is an obvious mistake. Whether XZ is backdoored is almost irrelevant at that point, it's already rotting.

> Upon discovering this issue, Binarly immediately notified the Debian maintainers and requested removal, but the affected images remain in place.

It is generally considered inappropriate to remove artifacts from an immutable repository for having a vulnerability. This wasn't even done for vulnerable Log4j versions in Maven repositories, despite Log4shell being one of the most potent vulnerabilities in history. It would just break reproducible builds and make it harder to piece together evidence related to the exploit.

Analemma_•1h ago

I have a feeling a lot of users just reflexively upvote any story about security vulnerabilities without checking if the contents have any meat at all. It's a well-intentioned heuristic, but unfortunately it's easily exploited in practice, because there are a whole bunch of C- and D-list security consultancy firms who use blogspam about exaggerated threats to get cheap publicity.

This post is a classic example and should've been buried quickly as such. You wouldn't upvote a LinkedIn "look at what MyCorp has been up to!" post from a sales associate at MyCorp, a lot of this infosec stuff is no different.

torgoguys•5m ago

I'm the one who submitted this link. (I have zero affiliation with the authors). What you say is fair enough, but I thought the article an interesting data point nonetheless. In particular, I found it interesting how a vulnerability: 1) with a tiny window during which it was published, 2) of very high potential severity, and 3) with SO MUCH publicity surrounding it could still be lingering where you might accidentally grab it. The threat isn't giant here, but I saw it as just today's reminder to keep shields up.

lmm•41m ago

> The XZ backdoor never made it to Debian stable. It is "still lurking in docker images" because Debian publishes unstable testing images, under a tag that is segregated from the stable release tags. You can find vulnerable containers for literally any vulnerability you can imagine by searching for the exact snapshot where things went wrong.

To a first approximation nothing ever makes it into Debian stable. Anyone working in an actively developed ecosystem uses the thing they pretend is an "experimental testing version". It's a marketing startegy similar to how everything from Google used to be marked as "beta".

djkoolaide•23m ago

Given my understanding of Debian, I don't believe this can be attributed to a "marketing strategy."

notherhack•47m ago

burnt-resistor•23m ago

Not Debian images in particular, but zillions of derived images lacking updates. This is one the many problems with using "community provided", un-curated, other people's pre-baked "golden master", old garbage rather than properly using patched and maintained systems. Apparent convenience with failure to audit.

DiabloD3•17m ago

When I was doing my stuff at my former stint as a hatrack, I made the choice to ban Docker from anywhere inside the company.

_Docker_ is a security hazard, and anything it touches is toxic.

Every single package, every single dependency, that has an actively exploited security flaw is being exploited in the Docker images you're using, unless you built them yourself, with brand new binaries. Do not trust anyone except official distro packages (unless you're on Ubuntu, then don't trust them either).

And if you're going to do that... just go to _actual_ orchestration. And if you're not going to do that, because orchestration is too big for your use case, then just roll normal actual long lived VMs the way we've done it for the past 15 years.

Playing With Fire - Are Russia's hybrid attacks the new European war?

Why Gen X is the real loser generation

Getting Started with Swift SDKs for WebAssembly

Show HN: Twitter Condom – Control your Twitter feed

The $30 Million Lottery Scam (2022)

100% of foreign agriculture workers were sexually assaulted, expert says

Text Notes to Notion

Writing Micro Compiler in OCaml (2014)

How I Made Ruby Faster Than Ruby

Covid-19 seems to age blood vessels – but only among women

Product Operations Manager, Meta Superintelligence Labs

Against SQL (2021)

I sat down with the new SEC Crypto Task Force, they are legit

Due Diligence

WhatsApp client library written purely in Rust

A Smarter Way to License Research Articles for AI

Global Warming Has Accelerated: Are the United Nations and the Public Informed?

Universal Coordination Infrastructure

Used AI to analyse three cities. It's true: we walk more quickly, socialise less

The Family Fallout of DNA Surprises

Interleaving for Retrieval Augmented Generation

Optimized Autonomous Inference

Starting game development in JavaScript with no experience

Nvidia's $4.5T valuation now tops the Russell 2000 Index by $1.5T

Direct File died. Meet the creators planning for its second life

System Guide: Five sample PC builds, from $500 to $5k

Conspiracy as Governance (2006) [pdf]

New Moral Compass

'Work-Life Balance' Will Keep You Mediocre

Brazil's top court rules US laws do not apply to its territory