xz lzma compromised sshd servers at 10 risk of backdoor penetration

Forum Forums News News xz lzma compromised sshd servers at 10 risk of backdoor penetration

  • This topic has 3 replies, 4 voices, and was last updated Apr 5-7:15 pm by PDP-8.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #138169
    Member
    fungalnet

      I came back to the forum to search for a discussion of the topic, I thought it would have had people concerned.

      https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html

      The xz source code repository has been taken down by github, although discussion can still be seen in the resulting “issue” through http://www.archive.org/….
      https://web.archive.org/web/20240329223553/https://github.com/tukaani-project/xz/issues/92

      Debian testing/unstable/experimental were affected and an sshd server setup with fedora or debian and possibly some ubuntu versions, can or have been compromised.

      The juicy part is that as far as I can deduce of the mechanism, the injected rogue code is in xz 5.6.0-5.6.1 tarballs and compiled packages using tarballs, but if configured and built from git then no problem. The binaries are stored in parts of the pkg then by the way debian/fedora built openssh a hook under certain conditions triggers a “systemd” (sd_notify) mechanism that extracts code from those binaries altering other binaries in the system providing the designer of the code with root access to the server – through ssh! Early findings talk about the exploit calling directly on .deb and .rpm packages, so other distros may seem safe, but this is less than 48hrs of public information on the topic.

      Within hours of publication this was rated 10 and in the US it triggered a national security probe on the matter.

      This as traced is going back to late 22, this is a good historic review of what went on and when. https://boehs.org/node/everything-i-know-about-the-xz-backdoor

      In brief, the original maintainer of the upstream project was overwhelmed, it advertised for help, someone appeared and offered some tests to be added, gradually took control of resources while the original maintainer was pretty careless and absent.

      Of course there is widespread paranoia about all this, it may not be as big as some fear, but there is a prevalent belief this wasn’t done by an individual with personal gains in mind but a larger organization such as a state security/espionage operation. In such case we will never find out the truth, even if they abduct someone to portray as the “terrorist” in which case again we will learn nothing.

      Summary, free open source, reliable trustworthy code that EVERYONE has used and is using can be polluted by binary blobs used to run software checks on, which create the source for the exploit.

      Even if it is about systemd weakness providing ground and mechanism to have this done, it leaves a sad feeling about FOSS state and future, or at least that is how I feel about it.

      #138175
      Member
      anti-apXos

        Backdoor penetration, you say?

        Hm…

        #138176
        Member
        Robin

          Details:
          https://nvd.nist.gov/vuln/detail/CVE-2024-3094

          And from debian security listing https://lists.debian.org/debian-security-announce/2024/msg00057.html

          Stable users are not affected.

          Users of testing, unstable and experimental are advised to update:

          »Compromised packages were part of the Debian testing, unstable and
          experimental distributions, with versions ranging from 5.5.1alpha-0.1
          (uploaded on 2024-02-01), up to and including 5.6.1-1.«

          And further:

          The package has been reverted to use the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1.

          I’d suggest to check your systems if running on sid or testing.

          it leaves a sad feeling about FOSS state and future

          That’s not an issue of FOSS only. All code can be compromised. But only in FOSS there is a chance it is revealed before it reaches stable versions, what precisely is what has happened here. So this incident should strengthen your trust in the checking mechanism of “thousand eyes” in FOSS. It was fixed immediately. Don’t dare to think of whether we ever had learned about compromised code like that if it was closed source like Microsoft or Apple & Co.

          Windows is like a submarine. Open a window and serious problems will start.

          #138718
          Member
          PDP-8

            So glad this was caught! But don’t feel bad about FOSS and the future. And I say this without being glib or cheerleading about it, perhaps look into the security-focused OpenBSD as an additional project to your existing infrastructure, and see if catches your interest.

          Viewing 4 posts - 1 through 4 (of 4 total)
          • You must be logged in to reply to this topic.