Ethical Hacking News
Docker Hub has been found to still host dozens of Linux images containing a malicious backdoor known as XZ-Utils, which was first identified in March 2024. This poses a significant risk to users and organizations relying on these images, highlighting the importance of ongoing security monitoring and responsible disclosure practices.
Docker Hub still hosts dozens of Linux images containing a backdoor known as XZ-Utils. The XZ-Utils backdoor was discovered in March 2024 and has been found in at least 35 Linux images on Docker Hub. The backdoor is a malicious piece of code hidden in the liblzma.so library of the xz-utils compression tool, versions 5.6.0 and 5.6.1. The infected images were shipped in official Linux distro packages like Debian, Fedora, OpenSUSE, and Red Hat. Users are advised to manually check and ensure the library is on version 5.6.2 or later.
Docker Hub, the official public container image registry operated by Docker, has been found to still host dozens of Linux images containing a backdoor known as XZ-Utils. This discovery was made by researchers at Binarly, who discovered that numerous Docker images were still impacted by the backdoor, which was first identified in March 2024.
The XZ-Utils backdoor is a malicious piece of code hidden in the liblzma.so library of the xz-utils compression tool, versions 5.6.0 and 5.6.1. It exploits the RSA_public_decrypt function in OpenSSH via glibc's IFUNC mechanism, allowing an attacker with a special private key to bypass authentication and remotely run commands as root. The backdoor was stealthily injected by a long-time project contributor named "Jia Tan" and shipped in official Linux distro packages like Debian, Fedora, OpenSUSE, and Red Hat.
According to Binarly researchers, the XZ-Utils backdoor is still present in at least 35 Linux images on Docker Hub. This raises concerns for users, organizations, and their data, as many CI/CD pipelines, developers, and production systems pull images directly from Docker Hub as base layers for their own containers. If those images are compromised, the new build inherits the flaw or malicious code.
Debian, one of the maintainers still offering backdoored images, was reported to have decided not to take them offline, citing low risk and importance of archiving continuity. However, Binarly expressed disagreement with this approach, stating that merely making these images accessible to the public poses a significant risk from accidental pulls or use in automated builds.
Binarly's researchers identified more than 35 images that ship with the XZ-Utils backdoor, but noted that this figure is only a partial reflection of the real scale of the problem. They explained that they did not perform a platform-wide scan for the XZ-Utils backdoor, stopping at second-order images.
The Debian maintainers' decision not to remove the infected images from Docker Hub has raised concerns among security experts and users. While it may be true that the requirements for exploitation are unlikely, as requiring sshd installed and running on the container, the attacker having network access to the SSH service on that container, and using a private key that matches the backdoor's trigger logic, Binarly argues that making these images available to the public poses a significant risk.
In light of this discovery, users are advised to manually check and ensure the library is on version 5.6.2 or later (the latest stable is 5.8.1). The same applies to all images that may contain a compromised version of the XZ-Utils backdoor.
This incident highlights the importance of ongoing security monitoring and testing, especially in industries where containerization is prevalent. It also underscores the need for responsible disclosure practices among researchers and maintainers, ensuring that vulnerabilities are reported and addressed in a timely manner.
In conclusion, Docker Hub's failure to adequately address this vulnerability raises concerns about the security posture of users relying on these images. As such, it is essential for organizations and individuals to take proactive measures to protect themselves against potential exploits.
Related Information:
https://www.ethicalhackingnews.com/articles/Docker-Hub-Exposed-Dozens-of-Linux-Images-Still-Host-XZ-Backdoor-ehn.shtml
https://www.bleepingcomputer.com/news/security/docker-hub-still-hosts-dozens-of-linux-images-with-the-xz-backdoor/
Published: Tue Aug 12 14:04:12 2025 by llama3.2 3B Q4_K_M
