Docker could still be hosting a whole load of potentially malicious images

Laptops

Docker could still be hosting a whole load of potentially malicious images – putting users at risk

XZ-Utils backdoor was found over a year ago
Despite warnings, some Linux images still contain it
Debian won’t budge as the images are “historical artifacts”

At least 35 Linux images hosted on Docker Hub contain dangerous backdoor malware, which could put software developers and their products at risk of takeover, data theft, ransomware, and more.

At least some of the images, however, will remain on the site and will not be removed, since they are outdated anyway and shouldn’t be used.

In March 2024, the open source community was stunned when security researchers spotted “XZ Utils”, a piece of malicious code, in the upstream xz-utils releases 5.6.0 and 5.6.1 (the liblzma.so library) that briefly propagated into some Linux distro packages (not their stable releases). The backdoor was inserted by a developer named ‘Jia Tan’ who, in the two years leading up to that moment, built significant credibility in the community through various contributions.

Debian, Fedora, and others

Now, security researchers at Binarly have said malicious xz-utils packages containing the backdoor were distributed in certain branches of several Linux distributions, including Debian, Fedora and OpenSUSE.

“This had serious implications for the software supply chain, as it became challenging to quickly identify all the places where the backdoored library had been included.” “This had serious implications for the software supply chain, as it became challenging to quickly identify all the places where the backdoored library had been included.”

Binarly’s experts are now saying several Docker images, built around the time of the compromise, also contain the backdoor. It says that at first glance, it might not seem alarming since if the distribution packages were backdoored, then any Docker images based on them would be backdoored, as well.

However, the researchers said some of the compromised images are still available on Docker Hub, and were even used in building other images which have also been transitively infected. Binarly said it found “only” 35 images because it focused solely on Debian images:

“The impact on Docker images from Fedora, OpenSUSE, and other distributions that were impacted by the XZ Utils backdoor remains unknown at this time.”

Debian said it wouldn’t be removing the malicious images since they’re outdated anyway and shouldn’t be used. They will be left as “historical artifacts”.

Via BleepingComputer