Featured Story
Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros
A newly discovered backdoor in XZ Utils, a data compression utility present in nearly all Linux distributions, has revived the ghosts of previous major software-supply chain security scares such as the Log4Shell vulnerability and the attack on SolarWinds.
We were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer, Andres Freund, spotted something fishy while investigating performance issues on a Debian system related to SSH.
The backdoor, tracked as CVE-2024-3094 with a CVSS score of 10.0, impacts XZ Utils versions 5.6.0 and 5.6.1. Embedded within the liblzma component, the malicious code uses obfuscated processes to tamper with SSH authentication via the systemd software suite. If triggered under the right conditions, it could allow remote unauthorized access to systems using this library.
Major distros affected include Debian testing, Fedora Rawhide, openSUSE, Kali Linux, Archlinux, and Alpine Edge, though mostly in testing or pre-release branches.
While patching appliances or software to the unaffected version may provide safety from future exploitation, it does not remediate historic compromise.
The fact that someone managed to sneak a nearly undetectable backdoor into a trusted, widely used open source component and the potential havoc it could have caused is a painful wake-up call about supply chain security.
Other Stories
Critical Security Flaw Found in Popular LayerSlider WordPress Plugin
A critical SQL injection vulnerability (CVE-2024-2879) in LayerSlider, a widely used WordPress plugin, affects versions 7.9.11 through 7.10.0. Exploitation could allow attackers to extract sensitive data through time-based methods. The flaw is tied to improperly handled user inputs and the absence of secure SQL preparation.
Ivanti Releases Security Updates to Address Vulnerabilities, Patch Immediately
Ivanti has released critical patches addressing multiple vulnerabilities (CVE-2024-21894, CVE-2024-22052, CVE-2024-22023) in Connect Secure and Policy Secure gateways. These flaws may lead to DoS attacks or arbitrary code execution, depending on the component targeted.
Critical Vulnerability in Synology Surveillance Station Software
CVE-2024-29241 is a missing authorization flaw in Synology Surveillance Station software (pre-9.2.0-9289 and 9.2.0-11289). Remote authenticated users can bypass security constraints via unspecified vectors, compromising system integrity and availability.
