In recent breaking news, a potential SSH backdoor has been uncovered in the xz package, posing a significant security threat to Linux systems. The discovery of a backdoor in the xz release tarballs from 5.6.0 and 5.6.1 has raised concerns about compromised SSH logins.

The malicious code was cleverly disguised as test files within the repository, making it difficult to detect any anomalies at first glance. However, upon downloading the release tarballs, the compromised code is revealed. This revelation came to light when SSH logins on a Debian sid exhibited unusually prolonged login times and increased CPU usage. Additionally, errors were detected when running Valgrind on the liblzma library, indicating potential foul play.

Further investigation pointed to one of the xz maintainers, [Jia Tan], who dismissed the Valgrind errors as a GCC bug. Subsequently, the same developer attempted to circumvent the Valgrind errors in a GitHub commit, further raising suspicions about their involvement in the malicious activity. The situation has cast doubt on the trustworthiness of the individual controlling the [JiaT75] GitHub account, leaving uncertainty about the integrity of the project’s co-maintainer since August 2022.

The discovery of the backdoor has raised questions about its connection to SSH. The complexity of the exploit becomes apparent as it targets the liblzma library, which is invoked when sshd starts due to the integration of libsystemd in many Linux distributions. The malicious code within the library performs checks on the program being executed and attempts to replace specific function calls, including RSA_public_decrypt, a critical function in validating SSH keys.

The potential implications of this exploit are concerning, as it could enable unauthorized access by bypassing the normal SSH login process. While a comprehensive analysis of the backdoor is ongoing, the severity of the security threat cannot be understated. More information is expected to emerge in the coming days as the investigation continues.