A critical XZ Utils backdoor, shipped with multiple Linux builds last year after a supply chain compromise, still lurks on DockerHub. Dozens of public images contain the bug and plague the containers built from them.
Security researchers at Binarly Research warn that they have found over 35 base images on DockerHub that remain public, despite containing the infamous XZ Utils, one of the most dangerous backdoors with the highest possible severity score of 10.0.
Attackers can abuse this bug to gain remote administrator access, compromising entire systems.
Many Linux web projects can be set up with a single Docker command, relying on a single YAML configuration file. These blueprints, often shared on GitHub, might specify a vulnerable OS version and lead to the compromise of the entire project.
The researchers warn that any Docker images based on backdoored distribution packages are infected.
“What we discovered is that some of these compromised images are still publicly available on Docker Hub. And even more troubling, other images have been built on top of these infected base images, making them transitively infected,” the report reads.
Twelve of the identified base images were various Debian versions, including experimental, unstable, untagged, and others from March 2024. The researchers didn’t even check second-order DockerHub images derived from the vulnerable OS versions.
“The impact on Docker images from Fedora, OpenSUSE, and other distributions that were impacted by the XZ Utils backdoor remains unknown at this time,” the report reads.
Many second- and third-order images might be used for projects, from personal applications to enterprise environments, where stability is often prioritized over running the latest OS version.
Despite public disclosures, the vulnerable Docker images containing the XZ Utils backdoor will remain on DockerHub.
“Images with an old date, like 20240311, are not supported. They will never be updated and are just left as historical artifacts. Users should use more recent images,” the maintainers explained on GitHub.
The XZ Utils backdoor was discovered last year and sent a shockwave through the cybersecurity sector. The bug was inserted by Jia Tan, a developer who spent two years building credibility in the project through numerous contributions.
Several major Linux distributions distributed malicious packages, making it one of the largest software supply chain attacks ever. The incident prompted cybersecurity agencies to issue advisories, and Linux vendors quickly reverted the affected packages to older versions. However, by then, the damage had already been done.
“Our discovery underscores how even short-lived backdoored builds can remain unnoticed and persist in container registries for a very long time,” the Binarly Research report concludes.
Your email address will not be published. Required fields are markedmarked