Cybersecurity
BSI warns of serious security gap
An engineer discovered a critical backdoor in the Linux operating system (symbolic image). photo
© Sebastian Gollnow/dpa
Over Easter, thanks to the attention of an engineer, a backdoor was discovered in the Linux operating system, which is very common on the Internet. Now system administrators have their homework to do.
After uncovering a potential cyber attack on countless Internet servers, the Federal Office for Information Security (BSI) asked those responsible for IT to initiate countermeasures. In an official security warning, the BSI spoke of a “critical backdoor” in the Linux operating system that had to be closed.
The security hole, which was introduced at great expense, was discovered before Easter by German software engineer Andres Freund, who works for Microsoft in the USA. The 38-year-old database expert noticed that a so-called remote login to a Linux computer suddenly required more computing power and an inexplicable delay of 500 milliseconds occurred.
After an extensive search, Freund discovered manipulations in the software tool “XZ Utils”, an open source project for data compression used by many Linux variants, which had been maintained as a hobby by a single volunteer for many years. The manipulated “XZ Utils” could have been “the most widespread and effective backdoor ever built into a software product,” said renowned security expert Alex Stamos, former head of security at Facebook. The backdoor would have been widely used since the Linux remote control software SSH also uses the compression tool.
Comparison with bakery workers
The New York Times compared the German software expert to a bakery worker who “smells a freshly baked loaf of bread and senses that something is wrong and concludes that someone has tampered with the entire world’s yeast supply.” It had previously become known that a cybercriminal with the pseudonym “Jia Tan” had spent months infiltrating the trust of the legitimate programmer of the affected software tool in order to then carry out manipulations in the software code.
The BSI now asked system administrators to check whether a manipulated version of “XZ Utils” is being installed on their Linux systems. The security warning specifically refers to versions 5.6.0 and 5.6.1 of the tools. The Bonn authority classified the IT threat situation as “business-critical” and warned of a “massive disruption to regular operations”.