Ukutholwa kwakamuva kwe-backdoor ku-XZ Utils compression utility yedatha - ekhona cishe kuzo zonke izingxenye ezinkulu ze-Linux - kuyisikhumbuzo esiqinile sokuthi izinhlangano ezisebenzisa izingxenye zomthombo ovulekile ekugcineni zinomthwalo wemfanelo wokuvikela isofthiwe.
I-XZ Utils, njengezinkulungwane zamaphrojekthi womthombo ovulekile, iqhutshwa ngokuzithandela futhi, esimweni sayo, inomnakekeli oyedwa oyilawulayo. Amaphrojekthi anjalo ngokuvamile anezinsiza ezincane noma ezingenazo zokusingatha izinkinga zokuphepha, okusho ukuthi izinhlangano zisebenzisa isofthiwe ngokuzifaka engozini. Lokho kusho ukuthi amaqembu ezokuphepha nentuthuko kufanele asebenzise izinyathelo zokulawula ubungozi bomthombo ovulekile ngendlela efanayo neyenza ngekhodi ethuthukiswe ngaphakathi, kusho ochwepheshe bezokuphepha.
“Nakuba kungenakwenzeka ukuthi inhlangano ingavimbela ngempumelelo [konke] ukuchayeka ezingozini ze-supply chain, izinhlangano zingagxila ngokuphelele esu lokunciphisa amathuba okuthi ukuhlasela kwe-supply chain kube yimpumelelo,” kusho u-Jamie Scott, umphathi womkhiqizo osungula e-Endor Labs.
Umthombo ovulekile awufani nokukhipha imali: “Abanakekeli bomthombo ovulekile besofthiwe bangamavolontiya. Ezingeni lemboni, sidinga ukubaphatha kanjalo. Singabanikazi besofthiwe yethu; sibophezelekile ngesofthiwe esiphinde siyisebenzise.”
Onenhloso Enhle, Ayinazinsiza Ezinele
Ukukhathazeka ngokuvikeleka kwesofthiwe yomthombo ovulekile azintsha neze. Kodwa ngokuvamile kuthatha ukutholwa njenge Ukuba sengozini kwe-Log4Shell futhi i-backdoor ku-XZ Utils ukushayela ekhaya ngempela ukuthi izinhlangano zisengozini kangakanani ezingxenyeni zekhodi yazo. Futhi ngokuvamile, ikhodi iphuma kumaphrojekthi womthombo ovulekile anezinhloso ezinhle kodwa ongenathemba onakekelwa kancane.
I-XZ Utils, ngokwesibonelo, iphrojekthi yomuntu oyedwa. Omunye umuntu ukwazile nyonyoba i-backdoor ungene ku-utility esikhathini esicishe sibe yiminyaka emithathu, ngokuthola kancane kancane ukwethenjwa okwanele kumnakekeli wephrojekthi. Ukube umthuthukisi we-Microsoft akazange azitholele yona ngasekupheleni kukaMashi lapho ephenya ukuziphatha okungajwayelekile okuhlotshaniswa nokufakwa kwe-Debian, i-backdoor kungenzeka ukuthi igcine ifinyelele ezigidini zamadivayisi emhlabeni jikelele - okuhlanganisa lawo awezinkampani ezinkulu nama-ejensi kahulumeni. Njengoba kwenzeka, i-backdoor ibe nomthelela omncane ngoba ithinte izinguqulo ze-XZ Utils ezazikhona kuphela kuzinguqulo ezingazinzile neze-beta ze-Debian, Fedora, Kali, i-SUSE evulekile, ne-Arch Linux.
Ukufakwa engozini okulandelayo kwekhodi yomthombo ovulekile kungaba kubi kakhulu. "Ingxenye esesabisa kakhulu yezinhlangano zamabhizinisi ukuthi izicelo zabo zakhiwe phezu kwamaphrojekthi wesoftware yomthombo ovulekile njenge-XZ Utils," kusho uDonald Fischer, umsunguli kanye noMphathi Omkhulu weTidelift. "I-XZ Utils iphakethe elilodwa lamashumi ezinkulungwane elisetshenziswa nsuku zonke yizinhlangano ezijwayelekile zamabhizinisi," usho kanje.
Iningi lalezi zinhlangano alinakho ukubonakala okwanele ekuvikelekeni nasekuqiniseni le ngxenye yochungechunge lwabo lokuhlinzeka ngesoftware ukuze zikwazi ukuhlola ubungozi, uyaphawula.
Kamuva I-Harvard Business School Ucwaningo lulinganisele inani lesidingo sohlangothi lwesofthiwe yomthombo ovulekile libe amabhiliyoni angama-$8.8. Abanakekeli yibona abawumgogodla walesi simiso sezinto eziphilayo futhi abaningi babo bandiza bodwa, kusho uFischer. Ucwaningo olwenziwe yi-Tidelift ngonyaka odlule lwathola u-44% wabanakekeli bephrojekthi bemithombo evulekile bazichaza njengabanakekeli bodwa bamaphrojekthi abo. Amaphesenti angu-XNUMX aziveze njengabathanda ukuzilibazisa abangakhokhelwa, futhi iphesenti elifanayo lathi bayeke noma bacabange ukuyeka izindima zabo njengabanakekeli bephrojekthi. Abanakekeli abaningi bachaze imizamo yabo njengomsebenzi ocindezelayo, onesizungu, futhi ongenamvuzo ngokwezimali, kusho uFischer.
"I-XZ utils hack iletha empumelelweni enkulu ezingozini zokutshala imali kancane kwezempilo kanye nokuqina kochungechunge lokuhlinzeka ngesoftware yemithombo evulekile [izinhlangano zamabhizinisi] ezithembele kukho," kusho uFischer. “Izinhlangano zamabhizinisi kumele zibone ukuthi iningi lamaphakheji emithombo evulekile athembeke kakhulu agcinwa amavolontiya azichaza njengabantu abathanda ukuzilibazisa abangakhokhelwa. Laba basizi akubona abahlinzeki bezinkampani kodwa kulindeleke ukuthi basebenze futhi balethe njengabo.”
Ingozi: I-Transitive Dependencies
A Ucwaningo olwenziwe yi-Endor ngo-2022 bathola ukuthi u-95% wobungozi bomthombo ovulekile bukhona kulokho okubizwa ngokuthi ukuncika okuguquguqukayo, noma amaphakheji omthombo ovulekile wesibili noma amalabhulali okungenzeka iphakheji yomthombo ovulekile oyinhloko incike kuwo. Ngokuvamile, lawa amaphakheji onjiniyela abangazikhethi bona ngokwabo kodwa asetshenziswa ngokuzenzakalelayo iphakheji yomthombo ovulekile kuphrojekthi yabo yokuthuthukisa.
"Isibonelo, uma uthemba iphakethe elilodwa le-Maven, ngokwesilinganiso kukhona okuncika okwengeziwe okungu-14 othembela ngokuphelele ngenxa yalokho," kusho uScott. "Le nombolo inkulu kakhulu kuma-software ecosystem athile njenge-NPM lapho ungenisa khona ezinye izingxenye zesoftware ezingama-77 kuwo wonke umuntu omethembayo."
Enye indlela yokuqala ukunciphisa ubungozi bemithombo evulekile ukunaka lokhu kuncika futhi ukhethe ukuthi yimaphi amaphrojekthi owakhethayo, esho.
Izinhlangano kufanele zihlole ukuncika, ikakhulukazi amaphakheji amancane, aphuma kanye, aphethwe yiqembu lomuntu oyedwa kanye nababili, uyanezela. U-Dimitri Stiliadis, i-Endor's CTO kanye nomsunguli ohlangene. Kufanele banqume ukuthi ukuncika endaweni yabo kunezilawuli ezifanele zokuphepha noma uma umuntu oyedwa enza yonke ikhodi; ukuthi banamafayela kanambambili ezinqolobaneni zabo ongazi muntu; noma noma ngabe kukhona umuntu ogcina iphrojekthi ngenkuthalo, kusho uStiliadis.
"Gxila imizamo yakho ekuthuthukiseni ukusebenza kahle kwezimpendulo zakho - izilawuli eziyisisekelo ezinjengokugcina uhlu lwezinhlelo zokusebenza ezivuthiwe zihlala zingolunye lwezinhlelo zenani eliphakeme kakhulu ongaba nalo ukuze uhlonze ngokushesha, ufinyelele, futhi uphendule kuzingozi zesofthiwe uma sezikhonjiwe," uScott. uyeluleka.
Amathuluzi okuhlaziya ukwakheka kwesofthiwe, izikena zobungozi, izinhlelo ze-EDR/XDR, nama-SBOM angasiza zonke izinhlangano ukuhlonza ngokushesha izingxenye zomthombo ovulekile ezisengozini kanye nezonakalisiwe.
Evuma Usongo
"Ukunciphisa ukuchayeka kuqala ngokuqonda okwabiwe kanye nokwazisa ku-C-suite futhi ngisho nasezingeni lebhodi ukuthi cishe u-70% wezithako zomkhiqizo wesofthiwe omaphakathi ziyi-software yomthombo ovulekile eyadalwa ngokomlando iningi labanikeli abanganxeshezelwanga," kusho uFischer kaTidelift.
Imithetho emisha nemihlahlandlela embonini yezinsizakalo zezezimali, i-FDA, kanye ne-NIST izolungisa indlela isofthiwe ethuthukiswa ngayo eminyakeni ezayo futhi izinhlangano zidinga ukuzilungiselela manje. “Abawinile lapha bazozivumelanisa ngokushesha nesu elisebenzayo baye esu elisebenzayo lokulawula ubungozi obuhlobene nomthombo ovulekile,” usho kanje.
UFischer uncoma ukuthi izinhlangano zithole amaqembu azo ezokuphepha nawonjiniyela ukuze zibone ukuthi izingxenye zomthombo ovulekile ezintsha ziza kanjani endaweni yazo. Kufanele futhi zichaze izindima zokuqapha lezi zingxenye futhi zisuse lezo ezingahambisani nesifiso senkampani esiyingozi. “Ukubhekana nezinkinga sekwephuzile sekuphenduke indlela engasebenzi yokubhekana nezinga lobungozi ebhizinisini eminyakeni embalwa edlule, futhi Uhulumeni wase-US uyasayina leso sikhathi siyaphela,” usho kanje.
- I-SEO Powered Content & PR Distribution. Khuliswa Namuhla.
- I-PlatoData.Network Vertical Generative Ai. Zinike Amandla. Finyelela Lapha.
- I-PlatoAiStream. I-Web3 Intelligence. Ulwazi Lukhulisiwe. Finyelela Lapha.
- I-PlatoESG. Ikhabhoni, I-CleanTech, Amandla, Environment, Ilanga, Ukuphathwa Kwemfucuza. Finyelela Lapha.
- I-PlatoHealth. I-Biotech kanye ne-Clinical Trials Intelligence. Finyelela Lapha.
- Source: https://www.darkreading.com/application-security/xz-utils-scare-exposes-hard-truths-in-software-security
