hackaday.com Open in urlscan Pro
192.0.66.96 Public Scan

Back to summary

URL:
https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/
Submission: On April 07 via manual (April 7th 2024, 2:56:13 am UTC) from US — Scanned from DE

Form analysis
10 forms found in the DOM

GET https://hackaday.com/

<form role="search" method="get" class="search-form" action="https://hackaday.com/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

<form onsubmit="return false;" id="share-menu">
  <label>Title:</label>
  <div class="share-entry">
    <input type="text" id="article-title" readonly="true" value="Security Alert: Potential SSH Backdoor Via Liblzma">
    <button id="copy-title">Copy</button>
  </div>
  <label>Short Link:</label>
  <div class="share-entry">
    <input type="text" id="article-link" readonly="true" value="https://hackaday.com/?p=672103">
    <button id="copy-link" onclick="">Copy</button>
  </div>
</form>

<form id="commentform" class="comment-form">
  <iframe title="Comment Form"
    src="https://jetpack.wordpress.com/jetpack-comment/?blogid=156670177&amp;postid=672103&amp;comment_registration=0&amp;require_name_email=1&amp;stc_enabled=1&amp;stb_enabled=0&amp;show_avatars=0&amp;avatar_default=mystery&amp;greeting=Leave+a+Reply&amp;jetpack_comments_nonce=6275d009a6&amp;greeting_reply=Leave+a+Reply+to+%25s&amp;color_scheme=dark&amp;lang=en_US&amp;jetpack_version=13.2.2&amp;show_cookie_consent=10&amp;has_cookie_consent=0&amp;is_current_user_subscribed=0&amp;token_key=%3Bnormal%3B&amp;sig=177fc99d754beead3dafdfc716325f6f07e89fa7#parent=https%3A%2F%2Fhackaday.com%2F2024%2F03%2F29%2Fsecurity-alert-potential-ssh-backdoor-via-liblzma%2F"
    name="jetpack_remote_comment" style="width: 100%; height: 2px; border: 0px;" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups" scrolling="no">
  </iframe>
  <!--[if !IE]><!-->
  <script>
    document.addEventListener('DOMContentLoaded', function() {
      var commentForms = document.getElementsByClassName('jetpack_remote_comment');
      for (var i = 0; i < commentForms.length; i++) {
        commentForms[i].allowTransparency = false;
        commentForms[i].scrolling = 'no';
      }
    });
  </script>
  <!--<![endif]-->
</form>

GET https://hackaday.com/

<form role="search" method="get" class="search-form" action="https://hackaday.com/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe

<form role="subscribe" action="//hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&amp;id=a428253bfe" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="subscribe-form validate"
  target="_blank" novalidate="">
  <div id="mc_embed_signup_scroll">
    <label for="mce-EMAIL">
      <input type="email" value="" name="EMAIL" class="subscribe-field" placeholder="Enter Email Address" id="mce-EMAIL" required="">
    </label>
    <!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
    <div style="position: absolute; left: -5000px;"><input type="text" name="b_80fc49ec84df168e48c00c18a_a428253bfe" tabindex="-1" value=""></div>
    <input type="submit" class="subscribe-submit" id="mc-embedded-subscribe" value="Subscribe">
  </div>
</form>

GET https://hackaday.com/

<form role="search" method="get" class="search-form" action="https://hackaday.com/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe

<form role="subscribe" action="//hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&amp;id=a428253bfe" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="subscribe-form validate"
  target="_blank" novalidate="">
  <div id="mc_embed_signup_scroll">
    <label for="mce-EMAIL">
      <input type="email" value="" name="EMAIL" class="subscribe-field" placeholder="Enter Email Address" id="mce-EMAIL" required="">
    </label>
    <!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
    <div style="position: absolute; left: -5000px;"><input type="text" name="b_80fc49ec84df168e48c00c18a_a428253bfe" tabindex="-1" value=""></div>
    <input type="submit" class="subscribe-submit" id="mc-embedded-subscribe" value="Subscribe">
  </div>
</form>

GET https://hackaday.com

<form action="https://hackaday.com" method="get"><label class="screen-reader-text" for="cat">Categories</label><select name="cat" id="cat" class="postform">
    <option value="-1">Select Category</option>
    <option class="level-0" value="114554125">3d Printer hacks</option>
    <option class="level-0" value="18020710">Android Hacks</option>
    <option class="level-0" value="18020705">Arduino Hacks</option>
    <option class="level-0" value="27981650">ARM</option>
    <option class="level-0" value="422579952">Art</option>
    <option class="level-0" value="422589899">Artificial Intelligence</option>
    <option class="level-0" value="422573560">Ask Hackaday</option>
    <option class="level-0" value="64298109">ATtiny Hacks</option>
    <option class="level-0" value="422590491">Battery Hacks</option>
    <option class="level-0" value="25122024">Beer Hacks</option>
    <option class="level-0" value="422577767">Biography</option>
    <option class="level-0" value="12115263">blackberry hacks</option>
    <option class="level-0" value="422570206">Business</option>
    <option class="level-0" value="422573558">car hacks</option>
    <option class="level-0" value="11894719">Cellphone Hacks</option>
    <option class="level-0" value="35745764">chemistry hacks</option>
    <option class="level-0" value="422573559">classic hacks</option>
    <option class="level-0" value="31677810">clock hacks</option>
    <option class="level-0" value="18755632">cnc hacks</option>
    <option class="level-0" value="568165">computer hacks</option>
    <option class="level-0" value="422573570">cons</option>
    <option class="level-0" value="5738">contests</option>
    <option class="level-0" value="422573551">cooking hacks</option>
    <option class="level-0" value="2588813">Crowd Funding</option>
    <option class="level-0" value="421976847">Curated</option>
    <option class="level-0" value="422570209">Current Events</option>
    <option class="level-0" value="422590009">Cyberdecks</option>
    <option class="level-0" value="10969032">digital audio hacks</option>
    <option class="level-0" value="10969033">digital cameras hacks</option>
    <option class="level-0" value="10969034">downloads hacks</option>
    <option class="level-0" value="107827385">drone hacks</option>
    <option class="level-0" value="63176382">Engine Hacks</option>
    <option class="level-0" value="422570207">Engineering</option>
    <option class="level-0" value="212825112">Fail of the Week</option>
    <option class="level-0" value="35890">Featured</option>
    <option class="level-0" value="422570208">Fiction</option>
    <option class="level-0" value="551890">firefox hacks</option>
    <option class="level-0" value="53446541">FPGA</option>
    <option class="level-0" value="18020562">g1 hacks</option>
    <option class="level-0" value="422578065">Games</option>
    <option class="level-0" value="320557">google hacks</option>
    <option class="level-0" value="10969036">gps hacks</option>
    <option class="level-0" value="24535490">green hacks</option>
    <option class="level-0" value="190105353">Hackaday Columns</option>
    <option class="level-0" value="27311668">Hackaday links</option>
    <option class="level-0" value="289711781">Hackaday Store</option>
    <option class="level-0" value="21755374">Hackerspaces</option>
    <option class="level-0" value="422573553">HackIt</option>
    <option class="level-0" value="10969037">handhelds hacks</option>
    <option class="level-0" value="422573549">hardware</option>
    <option class="level-0" value="422590036">High Voltage</option>
    <option class="level-0" value="421979219">History</option>
    <option class="level-0" value="66307084">Holiday Hacks</option>
    <option class="level-0" value="10969038">home entertainment hacks</option>
    <option class="level-0" value="5660882">home hacks</option>
    <option class="level-0" value="422573566">how-to</option>
    <option class="level-0" value="422570204">Interest</option>
    <option class="level-0" value="908478">internet hacks</option>
    <option class="level-0" value="831">Interviews</option>
    <option class="level-0" value="1416772">iphone hacks</option>
    <option class="level-0" value="1275163">ipod hacks</option>
    <option class="level-0" value="4157506">Kindle hacks</option>
    <option class="level-0" value="46717088">Kinect hacks</option>
    <option class="level-0" value="10969048">laptops hacks</option>
    <option class="level-0" value="422573554">Laser Hacks</option>
    <option class="level-0" value="422573557">LED Hacks</option>
    <option class="level-0" value="422573568">Lifehacks</option>
    <option class="level-0" value="729674">Linux Hacks</option>
    <option class="level-0" value="20732807">lockpicking hacks</option>
    <option class="level-0" value="10969060">Mac Hacks</option>
    <option class="level-0" value="422582715">Machine Learning</option>
    <option class="level-0" value="422573573">Major Tom</option>
    <option class="level-0" value="11284667">Medical Hacks</option>
    <option class="level-0" value="139916">Microcontrollers</option>
    <option class="level-0" value="5611793">Misc Hacks</option>
    <option class="level-0" value="18020730">Multitouch Hacks</option>
    <option class="level-0" value="22652725">Musical Hacks</option>
    <option class="level-0" value="18020722">Netbook Hacks</option>
    <option class="level-0" value="6166512">Network Hacks</option>
    <option class="level-0" value="103">News</option>
    <option class="level-0" value="1861880">Nintendo DS Hacks</option>
    <option class="level-0" value="114555425">Nintendo Game Boy Hacks</option>
    <option class="level-0" value="18020685">Nintendo Hacks</option>
    <option class="level-0" value="422573552">Nintendo Wii Hacks</option>
    <option class="level-0" value="118011206">Nook Hacks</option>
    <option class="level-0" value="422570205">Original Art</option>
    <option class="level-0" value="114556430">Palm Pre Hacks</option>
    <option class="level-0" value="422573571">Parts</option>
    <option class="level-0" value="422592105">PCB Hacks</option>
    <option class="level-0" value="10969081">Peripherals Hacks</option>
    <option class="level-0" value="16325149">Phone Hacks</option>
    <option class="level-0" value="10969088">Playstation Hacks</option>
    <option class="level-0" value="2060">Podcasts</option>
    <option class="level-0" value="10969096">Portable Audio Hacks</option>
    <option class="level-0" value="10969099">Portable Video Hacks</option>
    <option class="level-0" value="588444">PSP Hacks</option>
    <option class="level-0" value="23971578">Radio Hacks</option>
    <option class="level-0" value="47">Rants</option>
    <option class="level-0" value="69218551">Raspberry Pi</option>
    <option class="level-0" value="21870780">Repair Hacks</option>
    <option class="level-0" value="422578063">Retrocomputing</option>
    <option class="level-0" value="212824350">Retrotechtacular</option>
    <option class="level-0" value="422590062">Reverse Engineering</option>
    <option class="level-0" value="422573565">Reviews</option>
    <option class="level-0" value="10969101">Robots Hacks</option>
    <option class="level-0" value="422573563">Roundup</option>
    <option class="level-0" value="422578013">Science</option>
    <option class="level-0" value="10969111">Security Hacks</option>
    <option class="level-0" value="422570203">Skills</option>
    <option class="level-0" value="422573572">Slider</option>
    <option class="level-0" value="2301">Software Development</option>
    <option class="level-0" value="3796421">Software Hacks</option>
    <option class="level-0" value="10969116">Solar Hacks</option>
    <option class="level-0" value="422577709">Space</option>
    <option class="level-0" value="10969121">Tablet Hacks</option>
    <option class="level-0" value="3075183">Teardown</option>
    <option class="level-0" value="12936984">Tech Hacks</option>
    <option class="level-0" value="227104736">The Hackaday Prize</option>
    <option class="level-0" value="10969130">Tool Hacks</option>
    <option class="level-0" value="25277004">Toy Hacks</option>
    <option class="level-0" value="10969134">Transportation Hacks</option>
    <option class="level-0" value="1">Uncategorized</option>
    <option class="level-0" value="422573556">Video Hacks</option>
    <option class="level-0" value="34942364">Virtual Reality</option>
    <option class="level-0" value="50802420">Weapons Hacks</option>
    <option class="level-0" value="12552193">Wearable Hacks</option>
    <option class="level-0" value="39510952">Weekly Roundup</option>
    <option class="level-0" value="4891215">Wireless Hacks</option>
    <option class="level-0" value="7079455">Xbox Hacks</option>
  </select>
</form>

Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe

<form role="subscribe" action="//hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&amp;id=a428253bfe" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="subscribe-form validate"
  target="_blank" novalidate="">
  <div id="mc_embed_signup_scroll">
    <label for="mce-EMAIL">
      <input type="email" value="" name="EMAIL" class="subscribe-field" placeholder="Enter Email Address" id="mce-EMAIL" required="">
    </label>
    <!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
    <div style="position: absolute; left: -5000px;"><input type="text" name="b_80fc49ec84df168e48c00c18a_a428253bfe" tabindex="-1" value=""></div>
    <input type="submit" class="subscribe-submit" id="mc-embedded-subscribe" value="Subscribe">
  </div>
</form>

<form id="jp-carousel-comment-form">
  <label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
  <textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
  <div id="jp-carousel-comment-form-submit-and-info-wrapper">
    <div id="jp-carousel-comment-form-commenting-as">
      <fieldset>
        <label for="jp-carousel-comment-form-email-field">Email (Required)</label>
        <input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-author-field">Name (Required)</label>
        <input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-url-field">Website</label>
        <input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
      </fieldset>
    </div>
    <input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
  </div>
</form>

Text Content

HACKADAY

Primary Menu
* Home
* Blog
* Hackaday.io
* Tindie
* Hackaday Prize
* Submit
* About
* Search for:

April 6, 2024

SECURITY ALERT: POTENTIAL SSH BACKDOOR VIA LIBLZMA

34 Comments
* by:
Jonathan Bennett

March 29, 2024
*
*
*
*
*

Title:
Copy
Short Link:
Copy

In breaking news that dropped just after our weekly security column went live, a
backdoor has been discovered in the xz package, that could potentially
compromise SSH logins on Linux systems. The most detailed analysis so far seems
to be by [Andres Freund] on the oss-security list.

The xz release tarballs from 5.6.0 in late February and 5.6.1 on March 9th both
contain malicious code. A pair of compressed files in the repository contain the
majority of the malicious patch, disguised as test files. In practice, this
means that looking at the repository doesn’t reveal anything amiss, but
downloading the release tarballs gives you the compromised code.

This was discovered because SSH logins on a Debian sid were taking longer, with
more CPU cycles than expected. And interestingly, Valgrind was throwing
unexpected errors when running on the liblzma library. That last bit was first
discovered on February 24th, immediately after the 5.6.0 release. The xz-utils
package failed its tests on Gentoo builds.

One of the xz maintainers, [Jia Tan], weighed in on that Gentoo bug, suggesting
that it was a GCC bug causing the Valgrind errors. This is the same developer
that pushed the malicious archive files and minted the tainted releases. And as
if to clear up any remaining doubts, the developer doubled down in a GitHub
commit, working around the Valgrind errors, and linking to a completely
unrelated GCC bug report claiming it to be this issue.

At this point, the only reasonable conclusion is that the person in control of
the [JiaT75] GitHub account is a malicious actor and is completely
untrustworthy. What’s unclear is if this is still the same developer that has
been co-maintaining the project since August 2022. It’s possible that [Jia Tan]
has always been a bad actor, or that account may be completely compromised.

WHAT ABOUT SSH?

What may not be clear is the connection to SSH. And it’s a trip. Many Linux
distros patch sshd to add systemd features, and libsystemd pulls the liblzma
library. That means the liblzma initialization code gets run when sshd starts.
In the malicious code, the library checks argv[0], which is the name of the
program being executed, for /usr/bin/sshd. Additionally it seems to check for
debugging tools like rr and gdb. If the checks are green, liblzma replaces a few
function calls with its own code. It’s a complicated dance, but the exploit is
specifically looking to replace RSA_public_decrypt.

That’s a very interesting function to clobber, as it is one of the functions
used to validate SSH keys. It’s not hard to imagine how malicious code here
could check for a magic signature, and bypass the normal login process. The full
analysis is still being done, and expect more information in the coming days.

But the bottom line is that a machine with a patched sshd binary, that also has
xz packages version 5.6.0 or 5.6.1, is vulnerable to unauthenticated SSH logins.
The good news is that only a few distributions have shipped the 5.6.x series of
xz packages. Fedora Rawhide/41 them, and Debian Testing and Unstable shipped
these versions as well. If you’re on an affected system, look for an update
right away.

It’s unclear what the path forwards is for the xz project. This is obviously an
important system utility for Linux systems, and its current maintainers seem to
be asleep at the wheel — or intentionally steering towards disaster. Expect one
or more hard forks, and then a lot of cleanup work.

This is a developing story. For more, see the Redhat security alert, the Debian
alert, and the oss-security thread on the subject.

*
*
*
*

Posted in News, Security HacksTagged backdoor, open source, ssh, xz

POST NAVIGATION

← Electrospinning Artificial Heart Valves
Experiencing Visual Deficits And Their Impact On Daily Life, With VR →

34 THOUGHTS ON “SECURITY ALERT: POTENTIAL SSH BACKDOOR VIA LIBLZMA”

1. rasz_pl says:
March 29, 2024 at 5:20 pm

>It’s unclear what the path forwards is for the xz project

Yes, im sure “libsystemd pulls the liblzma library” is blameless

Report comment
Reply
1. Truth says:
March 29, 2024 at 5:53 pm

systemd has assimilated so much, it is now a massive attack surface. I
worked out that one thing that systemd does far better than anything
else.

Report comment
Reply

2. FiveEyesNoPrize says:
March 29, 2024 at 5:55 pm

Add another entry into the “why systemd is an abomination” omnibus.
Advocates will rail against sane “alternatives” until they’re blue in the
face, but they still can’t argue against systemd’s massive attack
surface.

It almost seems deliberate at this point.

Report comment
Reply
1. ~~~ says:
March 30, 2024 at 1:53 am

Oh, they will. It’s more like a cult than a piece of software at this
point.

Report comment
Reply

3. Gravis says:
March 29, 2024 at 6:08 pm

I’m down for blaming systemd when it’s at fault but rpm itself depends on
liblzma.

Report comment
Reply
1. ~~~ says:
March 30, 2024 at 1:58 am

Does it also depend on the RSA_public_decrypt?
systemRichard has incorporated everything and the kitchen sink, and so
the vulnerabilities of the kitchen sink, too.

Report comment
Reply
1. Clancy says:
March 31, 2024 at 4:44 am

Not specifically but it’s pretty easy to imagine how patching RPM
with a compromised liblzma is just as much a vector for
unauthorised remote access given that RPM maintains all system
packages on relevant distributions, including, y’know, sshd

Report comment
Reply

2. DebianUserSincePotato says:
March 31, 2024 at 12:12 pm

The main issue is that most of the places where liblzma gets pulled in
without introspection are due to libsystemd0 depending on it.

A build of openssh that isn’t built to use libsystemd0 is also not
linked against liblzma. Even when linked against libsystemd0, sshd is
not directly linked against liblzma. Instead, libsystemd depends on
it.

Also, it looks like the xz acting maintainer is an artificial
identity, and that xz/liblzma was targeted specifically because it’s
early in the runtime dynamic symbol resolution, so it can manipulate
the symbol tables before they’re “sealed”/made read-only.

In other words, the bad actor found a useful vector, and spent a
couple of years building trust, to gain the opportunity to control
that vector.

libsystemd0 is a reverse dependency of almost everything on a modern
Debian box, thus is a great place to start looking for an attack
vector, no matter what your actual target is.

apt-cache rdepends libsystemd0 on my system reports 349 packages
(mostly services, daemons, or desktop-related). Most are involved in
separation-of-authority or security contexts in one way or another.

Example of the library dependency tree for sshd on a debian stable
system (too old to be affected, but demonstrates the attack vector):

/usr/sbin/sshd
├── libcrypt.so.1 [ld.so.conf]
├── libz.so.1 [ld.so.conf]
├── libcrypto.so.3 [ld.so.conf]
├── libcom_err.so.2 [ld.so.conf]
├── libkrb5.so.3 [ld.so.conf]
│ ├── libk5crypto.so.3 [ld.so.conf]
│ │ └── libkrb5support.so.0 [ld.so.conf]
│ ├── libresolv.so.2 [ld.so.conf]
│ ├── libkeyutils.so.1 [ld.so.conf]
│ ├── libkrb5support.so.0 [ld.so.conf]
│ └── libcom_err.so.2 [ld.so.conf]
├── libgssapi_krb5.so.2 [ld.so.conf]
│ ├── libkrb5.so.3 [ld.so.conf]
│ ├── libkrb5support.so.0 [ld.so.conf]
│ ├── libcom_err.so.2 [ld.so.conf]
│ └── libk5crypto.so.3 [ld.so.conf]
├── libselinux.so.1 [ld.so.conf]
│ └── libpcre2-8.so.0 [ld.so.conf]
├── libsystemd.so.0 [ld.so.conf]
│ ├── libcap.so.2 [ld.so.conf]
│ ├── liblz4.so.1 [ld.so.conf]
│ ├── libzstd.so.1 [ld.so.conf]
│ ├── liblzma.so.5 [ld.so.conf] <——- ATTACK VECTOR
│ │ └── libpthread.so.0 [ld.so.conf]
│ └── libgcrypt.so.20 [ld.so.conf]
│ └── libgpg-error.so.0 [ld.so.conf]
├── libpam.so.0 [ld.so.conf]
│ └── libaudit.so.1 [ld.so.conf]
│ └── libcap-ng.so.0 [ld.so.conf]
├── libaudit.so.1 [ld.so.conf]
└── libwrap.so.0 [ld.so.conf]
└── libnsl.so.2 [ld.so.conf]
└── libtirpc.so.3 [ld.so.conf]
└── libgssapi_krb5.so.2 [ld.so.conf]

Report comment
Reply

4. pelrun says:
March 29, 2024 at 11:33 pm

The real problem is that distro maintainers shouldn’t just be trivially
patching sshd to pull in more dependencies to fix minor issues. It was
bound to result in something like this eventually.

Report comment
Reply

5. steelman says:
March 30, 2024 at 12:53 am

It pulls if you tell</a≥ it to.

Report comment
Reply

2. ed says:
March 30, 2024 at 2:04 am

>It’s unclear what the path forwards is for the xz project

This is an unfortunate way of seeing things.

I am convinced this has happened before and it’s becoming more common.
Blaming ‘them’ while thinking this would never happen to ‘us’ is making
everyone more vulnerable to these attacks. This can happen to you, and if
the open source project you maintain is placed im an interesting place there
will be attempts.

Code reviews are not effective at catching these issues. Remember the kernel
bugs introduced Minnesota university, in fact, every bug in software that
uses reviews systematically passed the review. We need better systems to
find these issues, we need software architectures to contain their impact,
and we need them yesterday.

Report comment
Reply
1. Ostracus says:
March 30, 2024 at 8:00 am

I remember the firestorm it caused and it (mostly) wasn’t about code
reviews and their deficiencies.

Report comment
Reply

2. limroh says:
March 30, 2024 at 9:36 am

Maybe something along the lines of including fuzzing in unit-tests?

I’m not much of a coder so the idea is at most half-baked but the way I
understand your criticism that idea ^^ came up and passed my *smell
test*…

Report comment
Reply
1. starfall says:
March 30, 2024 at 2:37 pm

xz was fuzzed.

Jia disabled a feature that would have caught it, with some
plausible-sounding excuse:
https://github.com/google/oss-fuzz/commit/d2e42b2e489eac6fe6268e381b7db151f4c892c5

Report comment
Reply

3. silverwizard says:
April 1, 2024 at 6:32 am

I think it’s more about the xz maintainer starting this saga burned out,
and the only help they got was malicious. I doubt this will make them
less burned out, and I doubt this will make people help them, so what’s
the path forward?

Report comment
Reply

3. Klaus Kammerer says:
March 30, 2024 at 2:30 am

One more reason to only use RTEMS or any other lightweight system where you
can inspect ALL the code, not just some single throat-smearing executable.

Report comment
Reply
1. nowave7 says:
March 31, 2024 at 1:46 pm

Umm, you want to replace a full blown rich desktop environment with an
RTOS?

Report comment
Reply

4. BT says:
March 30, 2024 at 3:15 am

Is this a big downside to open source we will see more of in the future?

Much easier for “bad actors” to embed malware deep in the system than
becoming an employee of a big tech company and doing so from there, or
writing a virus that has to go propogate itself and go undetected.

Report comment
Reply
1. Klabauterfisch says:
March 30, 2024 at 3:59 am

Absolutely. This issue is a successful proof if concept. Much more
developers will be working on backdoors from now on.

Report comment
Reply

2. Foldi-One says:
March 30, 2024 at 5:29 am

I doubt it will really be ‘a big downside’ – yes it clearly happens, even
takes a while to get caught from time to time but it does get caught
eventually (or just overwritten by new code as progress is made), and the
quality of code usually required to be accepted into a OS project makes
avoiding accidental errors and following the intended logic easier.

With closed source the bad actor (which may even be the company itself)
can do what it likes, or just code really shoddily thanks to huge time
pressures on the developers to please the shareholders and nobody outside
those directly involved with making it that way really know. But as seen
plenty of times the white/black hats will notice something and if they
don’t disclose it it could take a major event for anybody else to look
hard enough to trace the issue.

Or the short versions – obscurity isn’t security, Open source will
usually get spotted and fixed – in many cases long before the bad new
stuff gets to the LTS distro of most normal user, where in closed source
you probably won’t get fixes quickly or even know how and why your system
was broken…

Report comment
Reply
1. nowave7 says:
March 31, 2024 at 1:56 pm

Exactly. People still think that big companies are somehow better than
open source projects. Just look at Meta and the recently revealed
court case documents stipulating they wholeheartedly went with a full
blown man in the middle attack, at least against Snapchat, but could
be worse than that. Sure, they got fined, a measley $90 mil, not
really a deterrent to stop them for doing similar in the future.

Report comment
Reply

3. Kleber says:
March 30, 2024 at 5:40 am

Is it? That is actually that is an _upside_ of opensource. With open
source someone has the chance of spotting the malicious code, report it
and get it fixed. And yes, we will see more of that in the future. I hope
so. I hope vulnerabilities are spotted and promptly fixed instead of
hidden. With proprietary code it will stay there forever nobody will ever
know.

Report comment
Reply
1. Ostracus says:
March 30, 2024 at 8:03 am

Maybe, but the hackers demonstrate all the time that “proprietary”
isn’t the barrier people think it is. And one might even argue the
latter requires a deeper understanding than open-source presents.

Report comment
Reply
1. 0xdeadbeef says:
March 30, 2024 at 8:19 am

I’d argue that what happened here is the complete opposite of what
you’re arguing. In this case, a malicious actor managed to take
over a project which is used by other large projects – and, while
that could lead to mass compromise, it also meant that that project
had extreme visibility, causing concern when code fuzzers like
Valgrind started throwing seemingly spurious errors.

The malicious actor’s method of hiding the exploit to evade early
detection proved to be his downfall, and that’s because so many
people were involved in this process.

That’s a resounding endorsement of open source if there ever was
one.

Report comment
Reply
1. Jan Praegert says:
March 30, 2024 at 10:11 am

Lets face it: if there is an organized group of bad actors
(controlled by governments) with a carefully orchestrated
approach, then none would notice for a long time.

I wouldn’t attack the OS itself. Way too many egomaniacs
searching for honor and exposure.

Capture an end-user project that is well liked and almost dead.
Something like an editor, game thingy, artist tool, music/video
cutter. Tools that not so tech-savvy users download, update,
install mods and plugins for without much thinking.

Slowly, very slowly install your own group of bad actors.
Collect data. Who of us hasn’t his “passwords.txt” on their
desktop?

Report comment

2. 0xdeadbeef says:
March 30, 2024 at 10:39 am

> I wouldn’t attack the OS itself.

That may well have happened here. Apparently JiaT75 may have
made some recent xz commits to the kernel as well. We’ll likely
know soon whether they’re malicious or not – I have very little
doubt that everything he’s touched is being scrutinized closely.

I stand by what I said – while there seems to be a good chance
that JiaT75 is a state actor (which further means that ‘he’ is
more likely a ‘they’, being an actual team behind the JiaT75
account), this shows that even state actors will have a hard
time subverting open source code. Impossible, no, but the more
central any given project is to other projects, the harder it’ll
be to sneak changes like this under our noses – and yet, for
state actors to make a given attack worthwhile, they need to
find projects like xz, with little maintainer involvement and
central to larger projects.

Report comment

3. Foldi-One says:
March 30, 2024 at 3:17 pm

@Jan I’d have to suggest the way open source works doesn’t
easily allow for a new group of state sponsored computer
terrorist to take over anything important – look at the pushback
something like systemd gets, where the developer is a known
‘trusted’ entity. To get something actually new or manage to
cuckoo into an existing important project to the level it won’t
be relatively easily noticed or left entirely unused as ‘we are
quite happy with the current system thanks’ would be the work of
decades probably.

And as you would have to actively be putting out good
contributions that actually benefit everyone without revealing
your long term goal to screw it all up, surviving the scrutiny
and inevitable patch/feature submitted by somebody outside the
group you can’t actually ignore, because if you do your project
is dead and the fork isn’t yours… The web of trust can’t easily
be invaded and broken without being noticed, unless you are
targeting something so on the periphery – like perhaps a
specific driver for a family of USB devices that are probably
only really meant to be sold inside the authoritarian regime… As
there odds are great almost nobody has the skills, and cares
about these devices to look.

Report comment

4. Valentijn Sessink says:
March 30, 2024 at 9:02 am

Much harder for bad actors to hide code in a codebase that they don’t
know where it will end up, who compiles it on what architecture and with
what, than hiding in a large “secret” codebase that will become a Big
Product.

Hiding in plain sight is hard. Hiding in plain sight while your hiding
place is a playground, a work bench and a meeting point at the same time
is even harder.

Report comment
Reply

5. Robert says:
March 30, 2024 at 7:48 am

name@PC:~$ liblzma –version
liblzma: command not found
name@PC:~$ xz-utils –version
xz-utils: command not found

So I’m safe from this?

Report comment
Reply
1. 0xdeadbeef says:
March 30, 2024 at 10:50 am

liblzma is a library, not an executable.

xz-utils is a package, not an executable.

If you’re on a Debian or Ubuntu-based distro (any distribution which uses
.deb packages, and apt/apt-get/synaptic for package management), you can
do:
$ dpkg -l liblzma\*
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
un liblzma2 (no description available)
ii liblzma5:amd64 5.4.1-0.2 amd64 XZ-format compression library

Debian stable (bookworm, Debian 12) isn’t vulnerable, as it still uses
liblzma5 5.4.x. Only Debian unstable (sid) and testing pulled 5.6.0 in –
and those are now reverted to 5.4.5, if you’ve applied updates since this
issue became public yesterday:
$ dpkg -l liblzma\*
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-================-===================-============-=================================
un liblzma2 (no description available)
ii liblzma5:riscv64 5.6.1+really5.4.5-1 riscv64 XZ-format compression
library

Note the version here is ‘5.6.1+really5.4.5-1’, since apt doesn’t allow
package downgrades without causing significant issues. If you see a
package version like that, you should be fine.

Report comment
Reply

6. William says:
March 30, 2024 at 8:09 am

Shows the sense in Linux Mint’s philosophy of being behind the curve with
updates, users of bleeding edge distros have discovered this nasty before it
reaches us.

xz -V should let you check if you’re affected, Mint 21 ain’t.

Report comment
Reply
1. 0xdeadbeef says:
March 30, 2024 at 11:02 am

Any stable (non-rolling, production-ready) distro should similarly be
unaffected. Debian 12 standardized on liblzma5 5.4.x, so it will never be
affected, unlike Debian unstable and testing (which pulls packages in
from unstable until the freeze occurs when the devs get ready to push it
to production).

Apparently Arch had pulled the compromised package in, given that it’s a
rolling distribution – but since the exploit explicitly looked for deb
and rpm package builds (not to mention Arch’s openssh doesn’t have a
reliance on liblzma, unlike Debian and RH!), it doesn’t appear to have
included the exploit in the package build for Arch.

Report comment
Reply

7. theschles says:
March 30, 2024 at 8:54 am

xz a dependency in many many MacOS Homebrew packages (22 installed packages
on my system). Today I ran ‘brew update’ and it downgraded my xz:

==> Upgrading 2 outdated packages:
…
xz 5.6.1 -> 5.4.6

Report comment
Reply
1. Gérald says:
March 31, 2024 at 3:11 am

Just check macport installed packages:

port installed
…
xz @5.4.6_0 (active)
…

So safe version installed for the moment.

Now, this post explains that the malicious code in liblzma is checking if
it has been runned explicitely by sshd (and if rr and gdb are available),
and in this case (only?) is doing its nefarious job.

So it seems that even if anything else than ssd is running infected
versions of xz, nothing bad should happen.

And since there’s no sshd port in macports, it seems quite unlikely to
have any problem on macOS because of this virus.

Report comment
Reply

More from this category

OUR COLUMNS

* UNDERSTAND YOUR TOOLS: FINGER EXERCISES

4 Comments

* FICTIONAL COMPUTERS: THE THREE BODY PROBLEM

43 Comments

* HACKADAY PODCAST EPISODE 265: BEHIND THE EPIC SSH HACK, 1980S CYBER BUTLER,
THE STORY OF SEASON 7

hackaday.com Open in urlscan Pro 192.0.66.96 Public Scan

Form analysis 10 forms found in the DOM

GET https://hackaday.com/

GET https://hackaday.com/

Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe

GET https://hackaday.com/

Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe

GET https://hackaday.com

Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe

Text Content

hackaday.com Open in urlscan Pro
192.0.66.96 Public Scan

Form analysis
10 forms found in the DOM