Recently, the open-source software xz-utils was exposed to risks of supply chain attacks and backdoor implantation in versions 5.6.0 to 5.6.1.
Union Tech’s official announcement confirms that all products under their umbrella, including the UOS desktop operating system and server operating system, are unaffected by this issue, ensuring users can continue to use them with confidence.
Mainstream Compression Software XZ Exposed to Backdoor! UOS by Union Tech: All Versions Unaffected
It’s been revealed that backdoor programs were discovered in the upstream code of xz versions 5.6.0 and 5.6.1. These programs insert binary test data, then extract and modify compilation results from the aforementioned data in compilation scripts.
According to preliminary research, the generated code hooks into OpenSSH’s RSA encryption-related functions, enabling attackers to bypass RSA signature verification through specific methods. Other potential impacts are still under ongoing investigation.
Mainstream Compression Software XZ Exposed to Backdoor! UOS by Union Tech: All Versions Unaffected
As a popular compression software, liblzma/xz is widely used across various Linux distributions, posing a significant threat to the entire Linux ecosystem due to the broad scope of this security vulnerability.
Analysis of the Impact on Union Tech’s UOS Operating System:
In version 1060 of the UOS desktop operating system, the version of xz-utils is 5.2.4.1-1+dde, which is not within the vulnerability scope and remains unaffected by the issue.
In version 1060 of the UOS server operating system, the version of xz is 5.2.5-3.uel20.01, also not within the vulnerability scope and remains unaffected.
Furthermore, all other versions of the Union Tech UOS operating system have been verified to be unaffected by this vulnerability.
According to Union Tech’s data from December last year, the installed base of UOS has reached 6 million units, maintaining the top market share position, with the shipment growth rate of the server edition being the industry’s highest.