BSI warns of serious security gap

0

BSI warns of serious security gap

Over Easter, thanks to the attention of an engineer, a backdoor was discovered in the Linux operating system, which is very common on the Internet. Now system administrators have their homework to do.

An engineer discovered a critical backdoor in the Linux operating system (symbolic image). © Sebastian Gollnow/dpa

After uncovering a potential cyber attack on countless Internet servers, the Federal Office for Information Security (BSI) asked IT managers to take countermeasures. In an official security warning, the BSI spoke of a “critical backdoor” in the Linux operating system that had to be closed.

The security hole, which was introduced at great expense, was discovered before Easter by German software engineer Andres Freund, who works for Microsoft in the USA. The 38-year-old database expert noticed that a so-called remote login to a Linux computer suddenly required more computing power and an inexplicable delay of 500 milliseconds occurred.

After an extensive search, Freund discovered manipulations in the software tool “XZ Utils”, an open source data compression project used by many Linux variants, which had been maintained as a hobby by a single volunteer for many years. The manipulated “XZ Utils” could have been “the most widespread and effective backdoor ever built into a software product,” said renowned security expert Alex Stamos, former head of security at Facebook. The backdoor would have been widely used since the Linux remote control software SSH also uses the compression tool.

Comparison with bakery workers

The New York Times compared the German software expert to a bakery worker who “smells freshly baked bread and senses that something is wrong and comes to the conclusion that someone has manipulated the entire global yeast supply.” It had previously become known that a cybercriminal with the pseudonym “Jia Tan” had spent months infiltrating the trust of the legitimate programmer of the affected software tool in order to then carry out manipulations in the software code.

The BSI now asked system administrators to check whether a manipulated version of “XZ Utils” is being installed on their Linux systems. The security warning specifically refers to versions 5.6.0 and 5.6.1 of the tools. The Bonn authority classified the IT threat situation as “business-critical” and warned of a “massive disruption to regular operations”.

© dpa

source site