Backdoor found in widely used Linux utility breaks encrypted SSH connections
Malicious code planted in xz Utils has been circulating for more than a month.
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux...
L. V. Lammert wrote on 2024-03-29 13:08:
Seems to make the case to only use standard tools like gzip?
I'm not sure. I stick with gzip & bzip myself, but this was an extremely clever approach and I'm not sure if xz got targeted because it's a smaller developer group or if xz is more gullible. I suspect everyone's going to be on the lookout going forward for such things. There's already a lot of examining of previous commits by this character who integrated themself to a number of packages with innocuous prior commits. Interesting story, and only caught by a series of coincidences (someone doing performance testing noticed some timing issues with failed ssh attempts and dug into it further). rb
L. V. Lammert wrote on 2024-03-29 13:08:
Seems to make the case to only use standard tools like gzip?
Nah, reading further on it (comments on ArsTechnica.com are great - lots of links to follow), this compromises ssh, you don't need xz. There's some talk that issues with Postgres and Valgrind were spotted a while back; unsure if related but sounds quite similar. Debian, Ubuntu, Macs, and Fedora were all targeted. Mac's "brew" had an upgrade today of xz from v5.6 to v5.4 - so it was rolled back there. Ubuntu didn't include the changes; Debian and Fedora did, briefly (as I understand it). This could have been on the scale of HeartBleed or larger. If all the computers running sshd on Debian and Fedora had this vulnerability on them, it'd be catastrophic. Ala SolarWinds, etc. The questions being asked are, who is Jia Tan (JiaT85), and the others who petitioned to get these updates into other packages - they have Scandanavian and Indian names, popped up like sock puppets requesting these "new features in xz get merged", then disappeared. This was only discovered because someone happened to be testing something and a ½ second delay in rejecting ssh connections caught his attention. Wow, we all just dodged a bullet. Oops, Kali Linux distributed the backdoor'd code: https://www.kali.org/blog/about-the-xz-backdoor/
The impact of this vulnerability affected Kali between March 26th to March 29th, during which time xz-utils 5.6.0-0.2 was available. If you updated your Kali installation on or after March 26th, but before March 29th, it is crucial to apply the latest updates today to address this issue.
The Linux kernel uses xz for squashfs compression: https://lore.kernel.org/lkml/20240320183846.19475-1-lasse.collin@tukaani.org... It seems to have made its way into Debian Sid:
After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:
The upstream xz repository and the xz tarballs have been backdoored.
https://www.openwall.com/lists/oss-security/2024/03/29/4
Careful: the exploit code ends up in liblzma, which on typical binary distributions package separately from xz-utils. On vulnerable distributions, that package gets pulled in (without pulling in xz-utils) when installing sshd.
So whether the distribution included xz-utils by default doesn't affect whether you're vulnerable.
participants (2)
-
L. V. Lammert -
Ron / BCLUG