hackaday.com
Open in
urlscan Pro
192.0.66.96
Public Scan
URL:
https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/
Submission: On April 07 via manual from US — Scanned from DE
Submission: On April 07 via manual from US — Scanned from DE
Form analysis
10 forms found in the DOMGET https://hackaday.com/
<form role="search" method="get" class="search-form" action="https://hackaday.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>
<form onsubmit="return false;" id="share-menu">
<label>Title:</label>
<div class="share-entry">
<input type="text" id="article-title" readonly="true" value="Security Alert: Potential SSH Backdoor Via Liblzma">
<button id="copy-title">Copy</button>
</div>
<label>Short Link:</label>
<div class="share-entry">
<input type="text" id="article-link" readonly="true" value="https://hackaday.com/?p=672103">
<button id="copy-link" onclick="">Copy</button>
</div>
</form>
<form id="commentform" class="comment-form">
<iframe title="Comment Form"
src="https://jetpack.wordpress.com/jetpack-comment/?blogid=156670177&postid=672103&comment_registration=0&require_name_email=1&stc_enabled=1&stb_enabled=0&show_avatars=0&avatar_default=mystery&greeting=Leave+a+Reply&jetpack_comments_nonce=6275d009a6&greeting_reply=Leave+a+Reply+to+%25s&color_scheme=dark&lang=en_US&jetpack_version=13.2.2&show_cookie_consent=10&has_cookie_consent=0&is_current_user_subscribed=0&token_key=%3Bnormal%3B&sig=177fc99d754beead3dafdfc716325f6f07e89fa7#parent=https%3A%2F%2Fhackaday.com%2F2024%2F03%2F29%2Fsecurity-alert-potential-ssh-backdoor-via-liblzma%2F"
name="jetpack_remote_comment" style="width: 100%; height: 2px; border: 0px;" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups" scrolling="no">
</iframe>
<!--[if !IE]><!-->
<script>
document.addEventListener('DOMContentLoaded', function() {
var commentForms = document.getElementsByClassName('jetpack_remote_comment');
for (var i = 0; i < commentForms.length; i++) {
commentForms[i].allowTransparency = false;
commentForms[i].scrolling = 'no';
}
});
</script>
<!--<![endif]-->
</form>
GET https://hackaday.com/
<form role="search" method="get" class="search-form" action="https://hackaday.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>
Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe
<form role="subscribe" action="//hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="subscribe-form validate"
target="_blank" novalidate="">
<div id="mc_embed_signup_scroll">
<label for="mce-EMAIL">
<input type="email" value="" name="EMAIL" class="subscribe-field" placeholder="Enter Email Address" id="mce-EMAIL" required="">
</label>
<!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
<div style="position: absolute; left: -5000px;"><input type="text" name="b_80fc49ec84df168e48c00c18a_a428253bfe" tabindex="-1" value=""></div>
<input type="submit" class="subscribe-submit" id="mc-embedded-subscribe" value="Subscribe">
</div>
</form>
GET https://hackaday.com/
<form role="search" method="get" class="search-form" action="https://hackaday.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>
Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe
<form role="subscribe" action="//hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="subscribe-form validate"
target="_blank" novalidate="">
<div id="mc_embed_signup_scroll">
<label for="mce-EMAIL">
<input type="email" value="" name="EMAIL" class="subscribe-field" placeholder="Enter Email Address" id="mce-EMAIL" required="">
</label>
<!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
<div style="position: absolute; left: -5000px;"><input type="text" name="b_80fc49ec84df168e48c00c18a_a428253bfe" tabindex="-1" value=""></div>
<input type="submit" class="subscribe-submit" id="mc-embedded-subscribe" value="Subscribe">
</div>
</form>
GET https://hackaday.com
<form action="https://hackaday.com" method="get"><label class="screen-reader-text" for="cat">Categories</label><select name="cat" id="cat" class="postform">
<option value="-1">Select Category</option>
<option class="level-0" value="114554125">3d Printer hacks</option>
<option class="level-0" value="18020710">Android Hacks</option>
<option class="level-0" value="18020705">Arduino Hacks</option>
<option class="level-0" value="27981650">ARM</option>
<option class="level-0" value="422579952">Art</option>
<option class="level-0" value="422589899">Artificial Intelligence</option>
<option class="level-0" value="422573560">Ask Hackaday</option>
<option class="level-0" value="64298109">ATtiny Hacks</option>
<option class="level-0" value="422590491">Battery Hacks</option>
<option class="level-0" value="25122024">Beer Hacks</option>
<option class="level-0" value="422577767">Biography</option>
<option class="level-0" value="12115263">blackberry hacks</option>
<option class="level-0" value="422570206">Business</option>
<option class="level-0" value="422573558">car hacks</option>
<option class="level-0" value="11894719">Cellphone Hacks</option>
<option class="level-0" value="35745764">chemistry hacks</option>
<option class="level-0" value="422573559">classic hacks</option>
<option class="level-0" value="31677810">clock hacks</option>
<option class="level-0" value="18755632">cnc hacks</option>
<option class="level-0" value="568165">computer hacks</option>
<option class="level-0" value="422573570">cons</option>
<option class="level-0" value="5738">contests</option>
<option class="level-0" value="422573551">cooking hacks</option>
<option class="level-0" value="2588813">Crowd Funding</option>
<option class="level-0" value="421976847">Curated</option>
<option class="level-0" value="422570209">Current Events</option>
<option class="level-0" value="422590009">Cyberdecks</option>
<option class="level-0" value="10969032">digital audio hacks</option>
<option class="level-0" value="10969033">digital cameras hacks</option>
<option class="level-0" value="10969034">downloads hacks</option>
<option class="level-0" value="107827385">drone hacks</option>
<option class="level-0" value="63176382">Engine Hacks</option>
<option class="level-0" value="422570207">Engineering</option>
<option class="level-0" value="212825112">Fail of the Week</option>
<option class="level-0" value="35890">Featured</option>
<option class="level-0" value="422570208">Fiction</option>
<option class="level-0" value="551890">firefox hacks</option>
<option class="level-0" value="53446541">FPGA</option>
<option class="level-0" value="18020562">g1 hacks</option>
<option class="level-0" value="422578065">Games</option>
<option class="level-0" value="320557">google hacks</option>
<option class="level-0" value="10969036">gps hacks</option>
<option class="level-0" value="24535490">green hacks</option>
<option class="level-0" value="190105353">Hackaday Columns</option>
<option class="level-0" value="27311668">Hackaday links</option>
<option class="level-0" value="289711781">Hackaday Store</option>
<option class="level-0" value="21755374">Hackerspaces</option>
<option class="level-0" value="422573553">HackIt</option>
<option class="level-0" value="10969037">handhelds hacks</option>
<option class="level-0" value="422573549">hardware</option>
<option class="level-0" value="422590036">High Voltage</option>
<option class="level-0" value="421979219">History</option>
<option class="level-0" value="66307084">Holiday Hacks</option>
<option class="level-0" value="10969038">home entertainment hacks</option>
<option class="level-0" value="5660882">home hacks</option>
<option class="level-0" value="422573566">how-to</option>
<option class="level-0" value="422570204">Interest</option>
<option class="level-0" value="908478">internet hacks</option>
<option class="level-0" value="831">Interviews</option>
<option class="level-0" value="1416772">iphone hacks</option>
<option class="level-0" value="1275163">ipod hacks</option>
<option class="level-0" value="4157506">Kindle hacks</option>
<option class="level-0" value="46717088">Kinect hacks</option>
<option class="level-0" value="10969048">laptops hacks</option>
<option class="level-0" value="422573554">Laser Hacks</option>
<option class="level-0" value="422573557">LED Hacks</option>
<option class="level-0" value="422573568">Lifehacks</option>
<option class="level-0" value="729674">Linux Hacks</option>
<option class="level-0" value="20732807">lockpicking hacks</option>
<option class="level-0" value="10969060">Mac Hacks</option>
<option class="level-0" value="422582715">Machine Learning</option>
<option class="level-0" value="422573573">Major Tom</option>
<option class="level-0" value="11284667">Medical Hacks</option>
<option class="level-0" value="139916">Microcontrollers</option>
<option class="level-0" value="5611793">Misc Hacks</option>
<option class="level-0" value="18020730">Multitouch Hacks</option>
<option class="level-0" value="22652725">Musical Hacks</option>
<option class="level-0" value="18020722">Netbook Hacks</option>
<option class="level-0" value="6166512">Network Hacks</option>
<option class="level-0" value="103">News</option>
<option class="level-0" value="1861880">Nintendo DS Hacks</option>
<option class="level-0" value="114555425">Nintendo Game Boy Hacks</option>
<option class="level-0" value="18020685">Nintendo Hacks</option>
<option class="level-0" value="422573552">Nintendo Wii Hacks</option>
<option class="level-0" value="118011206">Nook Hacks</option>
<option class="level-0" value="422570205">Original Art</option>
<option class="level-0" value="114556430">Palm Pre Hacks</option>
<option class="level-0" value="422573571">Parts</option>
<option class="level-0" value="422592105">PCB Hacks</option>
<option class="level-0" value="10969081">Peripherals Hacks</option>
<option class="level-0" value="16325149">Phone Hacks</option>
<option class="level-0" value="10969088">Playstation Hacks</option>
<option class="level-0" value="2060">Podcasts</option>
<option class="level-0" value="10969096">Portable Audio Hacks</option>
<option class="level-0" value="10969099">Portable Video Hacks</option>
<option class="level-0" value="588444">PSP Hacks</option>
<option class="level-0" value="23971578">Radio Hacks</option>
<option class="level-0" value="47">Rants</option>
<option class="level-0" value="69218551">Raspberry Pi</option>
<option class="level-0" value="21870780">Repair Hacks</option>
<option class="level-0" value="422578063">Retrocomputing</option>
<option class="level-0" value="212824350">Retrotechtacular</option>
<option class="level-0" value="422590062">Reverse Engineering</option>
<option class="level-0" value="422573565">Reviews</option>
<option class="level-0" value="10969101">Robots Hacks</option>
<option class="level-0" value="422573563">Roundup</option>
<option class="level-0" value="422578013">Science</option>
<option class="level-0" value="10969111">Security Hacks</option>
<option class="level-0" value="422570203">Skills</option>
<option class="level-0" value="422573572">Slider</option>
<option class="level-0" value="2301">Software Development</option>
<option class="level-0" value="3796421">Software Hacks</option>
<option class="level-0" value="10969116">Solar Hacks</option>
<option class="level-0" value="422577709">Space</option>
<option class="level-0" value="10969121">Tablet Hacks</option>
<option class="level-0" value="3075183">Teardown</option>
<option class="level-0" value="12936984">Tech Hacks</option>
<option class="level-0" value="227104736">The Hackaday Prize</option>
<option class="level-0" value="10969130">Tool Hacks</option>
<option class="level-0" value="25277004">Toy Hacks</option>
<option class="level-0" value="10969134">Transportation Hacks</option>
<option class="level-0" value="1">Uncategorized</option>
<option class="level-0" value="422573556">Video Hacks</option>
<option class="level-0" value="34942364">Virtual Reality</option>
<option class="level-0" value="50802420">Weapons Hacks</option>
<option class="level-0" value="12552193">Wearable Hacks</option>
<option class="level-0" value="39510952">Weekly Roundup</option>
<option class="level-0" value="4891215">Wireless Hacks</option>
<option class="level-0" value="7079455">Xbox Hacks</option>
</select>
</form>
Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe
<form role="subscribe" action="//hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="subscribe-form validate"
target="_blank" novalidate="">
<div id="mc_embed_signup_scroll">
<label for="mce-EMAIL">
<input type="email" value="" name="EMAIL" class="subscribe-field" placeholder="Enter Email Address" id="mce-EMAIL" required="">
</label>
<!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
<div style="position: absolute; left: -5000px;"><input type="text" name="b_80fc49ec84df168e48c00c18a_a428253bfe" tabindex="-1" value=""></div>
<input type="submit" class="subscribe-submit" id="mc-embedded-subscribe" value="Subscribe">
</div>
</form>
<form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>
Text Content
Skip to content HACKADAY Primary Menu * Home * Blog * Hackaday.io * Tindie * Hackaday Prize * Submit * About * Search for: April 6, 2024 SECURITY ALERT: POTENTIAL SSH BACKDOOR VIA LIBLZMA 34 Comments * by: Jonathan Bennett March 29, 2024 * * * * * Title: Copy Short Link: Copy In breaking news that dropped just after our weekly security column went live, a backdoor has been discovered in the xz package, that could potentially compromise SSH logins on Linux systems. The most detailed analysis so far seems to be by [Andres Freund] on the oss-security list. The xz release tarballs from 5.6.0 in late February and 5.6.1 on March 9th both contain malicious code. A pair of compressed files in the repository contain the majority of the malicious patch, disguised as test files. In practice, this means that looking at the repository doesn’t reveal anything amiss, but downloading the release tarballs gives you the compromised code. This was discovered because SSH logins on a Debian sid were taking longer, with more CPU cycles than expected. And interestingly, Valgrind was throwing unexpected errors when running on the liblzma library. That last bit was first discovered on February 24th, immediately after the 5.6.0 release. The xz-utils package failed its tests on Gentoo builds. One of the xz maintainers, [Jia Tan], weighed in on that Gentoo bug, suggesting that it was a GCC bug causing the Valgrind errors. This is the same developer that pushed the malicious archive files and minted the tainted releases. And as if to clear up any remaining doubts, the developer doubled down in a GitHub commit, working around the Valgrind errors, and linking to a completely unrelated GCC bug report claiming it to be this issue. At this point, the only reasonable conclusion is that the person in control of the [JiaT75] GitHub account is a malicious actor and is completely untrustworthy. What’s unclear is if this is still the same developer that has been co-maintaining the project since August 2022. It’s possible that [Jia Tan] has always been a bad actor, or that account may be completely compromised. WHAT ABOUT SSH? What may not be clear is the connection to SSH. And it’s a trip. Many Linux distros patch sshd to add systemd features, and libsystemd pulls the liblzma library. That means the liblzma initialization code gets run when sshd starts. In the malicious code, the library checks argv[0], which is the name of the program being executed, for /usr/bin/sshd. Additionally it seems to check for debugging tools like rr and gdb. If the checks are green, liblzma replaces a few function calls with its own code. It’s a complicated dance, but the exploit is specifically looking to replace RSA_public_decrypt. That’s a very interesting function to clobber, as it is one of the functions used to validate SSH keys. It’s not hard to imagine how malicious code here could check for a magic signature, and bypass the normal login process. The full analysis is still being done, and expect more information in the coming days. But the bottom line is that a machine with a patched sshd binary, that also has xz packages version 5.6.0 or 5.6.1, is vulnerable to unauthenticated SSH logins. The good news is that only a few distributions have shipped the 5.6.x series of xz packages. Fedora Rawhide/41 them, and Debian Testing and Unstable shipped these versions as well. If you’re on an affected system, look for an update right away. It’s unclear what the path forwards is for the xz project. This is obviously an important system utility for Linux systems, and its current maintainers seem to be asleep at the wheel — or intentionally steering towards disaster. Expect one or more hard forks, and then a lot of cleanup work. This is a developing story. For more, see the Redhat security alert, the Debian alert, and the oss-security thread on the subject. * * * * Posted in News, Security HacksTagged backdoor, open source, ssh, xz POST NAVIGATION ← Electrospinning Artificial Heart Valves Experiencing Visual Deficits And Their Impact On Daily Life, With VR → 34 THOUGHTS ON “SECURITY ALERT: POTENTIAL SSH BACKDOOR VIA LIBLZMA” 1. rasz_pl says: March 29, 2024 at 5:20 pm >It’s unclear what the path forwards is for the xz project Yes, im sure “libsystemd pulls the liblzma library” is blameless Report comment Reply 1. Truth says: March 29, 2024 at 5:53 pm systemd has assimilated so much, it is now a massive attack surface. I worked out that one thing that systemd does far better than anything else. Report comment Reply 2. FiveEyesNoPrize says: March 29, 2024 at 5:55 pm Add another entry into the “why systemd is an abomination” omnibus. Advocates will rail against sane “alternatives” until they’re blue in the face, but they still can’t argue against systemd’s massive attack surface. It almost seems deliberate at this point. Report comment Reply 1. ~~~ says: March 30, 2024 at 1:53 am Oh, they will. It’s more like a cult than a piece of software at this point. Report comment Reply 3. Gravis says: March 29, 2024 at 6:08 pm I’m down for blaming systemd when it’s at fault but rpm itself depends on liblzma. Report comment Reply 1. ~~~ says: March 30, 2024 at 1:58 am Does it also depend on the RSA_public_decrypt? systemRichard has incorporated everything and the kitchen sink, and so the vulnerabilities of the kitchen sink, too. Report comment Reply 1. Clancy says: March 31, 2024 at 4:44 am Not specifically but it’s pretty easy to imagine how patching RPM with a compromised liblzma is just as much a vector for unauthorised remote access given that RPM maintains all system packages on relevant distributions, including, y’know, sshd Report comment Reply 2. DebianUserSincePotato says: March 31, 2024 at 12:12 pm The main issue is that most of the places where liblzma gets pulled in without introspection are due to libsystemd0 depending on it. A build of openssh that isn’t built to use libsystemd0 is also not linked against liblzma. Even when linked against libsystemd0, sshd is not directly linked against liblzma. Instead, libsystemd depends on it. Also, it looks like the xz acting maintainer is an artificial identity, and that xz/liblzma was targeted specifically because it’s early in the runtime dynamic symbol resolution, so it can manipulate the symbol tables before they’re “sealed”/made read-only. In other words, the bad actor found a useful vector, and spent a couple of years building trust, to gain the opportunity to control that vector. libsystemd0 is a reverse dependency of almost everything on a modern Debian box, thus is a great place to start looking for an attack vector, no matter what your actual target is. apt-cache rdepends libsystemd0 on my system reports 349 packages (mostly services, daemons, or desktop-related). Most are involved in separation-of-authority or security contexts in one way or another. Example of the library dependency tree for sshd on a debian stable system (too old to be affected, but demonstrates the attack vector): /usr/sbin/sshd ├── libcrypt.so.1 [ld.so.conf] ├── libz.so.1 [ld.so.conf] ├── libcrypto.so.3 [ld.so.conf] ├── libcom_err.so.2 [ld.so.conf] ├── libkrb5.so.3 [ld.so.conf] │ ├── libk5crypto.so.3 [ld.so.conf] │ │ └── libkrb5support.so.0 [ld.so.conf] │ ├── libresolv.so.2 [ld.so.conf] │ ├── libkeyutils.so.1 [ld.so.conf] │ ├── libkrb5support.so.0 [ld.so.conf] │ └── libcom_err.so.2 [ld.so.conf] ├── libgssapi_krb5.so.2 [ld.so.conf] │ ├── libkrb5.so.3 [ld.so.conf] │ ├── libkrb5support.so.0 [ld.so.conf] │ ├── libcom_err.so.2 [ld.so.conf] │ └── libk5crypto.so.3 [ld.so.conf] ├── libselinux.so.1 [ld.so.conf] │ └── libpcre2-8.so.0 [ld.so.conf] ├── libsystemd.so.0 [ld.so.conf] │ ├── libcap.so.2 [ld.so.conf] │ ├── liblz4.so.1 [ld.so.conf] │ ├── libzstd.so.1 [ld.so.conf] │ ├── liblzma.so.5 [ld.so.conf] <——- ATTACK VECTOR │ │ └── libpthread.so.0 [ld.so.conf] │ └── libgcrypt.so.20 [ld.so.conf] │ └── libgpg-error.so.0 [ld.so.conf] ├── libpam.so.0 [ld.so.conf] │ └── libaudit.so.1 [ld.so.conf] │ └── libcap-ng.so.0 [ld.so.conf] ├── libaudit.so.1 [ld.so.conf] └── libwrap.so.0 [ld.so.conf] └── libnsl.so.2 [ld.so.conf] └── libtirpc.so.3 [ld.so.conf] └── libgssapi_krb5.so.2 [ld.so.conf] Report comment Reply 4. pelrun says: March 29, 2024 at 11:33 pm The real problem is that distro maintainers shouldn’t just be trivially patching sshd to pull in more dependencies to fix minor issues. It was bound to result in something like this eventually. Report comment Reply 5. steelman says: March 30, 2024 at 12:53 am It pulls if you tell</a≥ it to. Report comment Reply 2. ed says: March 30, 2024 at 2:04 am >It’s unclear what the path forwards is for the xz project This is an unfortunate way of seeing things. I am convinced this has happened before and it’s becoming more common. Blaming ‘them’ while thinking this would never happen to ‘us’ is making everyone more vulnerable to these attacks. This can happen to you, and if the open source project you maintain is placed im an interesting place there will be attempts. Code reviews are not effective at catching these issues. Remember the kernel bugs introduced Minnesota university, in fact, every bug in software that uses reviews systematically passed the review. We need better systems to find these issues, we need software architectures to contain their impact, and we need them yesterday. Report comment Reply 1. Ostracus says: March 30, 2024 at 8:00 am I remember the firestorm it caused and it (mostly) wasn’t about code reviews and their deficiencies. Report comment Reply 2. limroh says: March 30, 2024 at 9:36 am Maybe something along the lines of including fuzzing in unit-tests? I’m not much of a coder so the idea is at most half-baked but the way I understand your criticism that idea ^^ came up and passed my *smell test*… Report comment Reply 1. starfall says: March 30, 2024 at 2:37 pm xz was fuzzed. Jia disabled a feature that would have caught it, with some plausible-sounding excuse: https://github.com/google/oss-fuzz/commit/d2e42b2e489eac6fe6268e381b7db151f4c892c5 Report comment Reply 3. silverwizard says: April 1, 2024 at 6:32 am I think it’s more about the xz maintainer starting this saga burned out, and the only help they got was malicious. I doubt this will make them less burned out, and I doubt this will make people help them, so what’s the path forward? Report comment Reply 3. Klaus Kammerer says: March 30, 2024 at 2:30 am One more reason to only use RTEMS or any other lightweight system where you can inspect ALL the code, not just some single throat-smearing executable. Report comment Reply 1. nowave7 says: March 31, 2024 at 1:46 pm Umm, you want to replace a full blown rich desktop environment with an RTOS? Report comment Reply 4. BT says: March 30, 2024 at 3:15 am Is this a big downside to open source we will see more of in the future? Much easier for “bad actors” to embed malware deep in the system than becoming an employee of a big tech company and doing so from there, or writing a virus that has to go propogate itself and go undetected. Report comment Reply 1. Klabauterfisch says: March 30, 2024 at 3:59 am Absolutely. This issue is a successful proof if concept. Much more developers will be working on backdoors from now on. Report comment Reply 2. Foldi-One says: March 30, 2024 at 5:29 am I doubt it will really be ‘a big downside’ – yes it clearly happens, even takes a while to get caught from time to time but it does get caught eventually (or just overwritten by new code as progress is made), and the quality of code usually required to be accepted into a OS project makes avoiding accidental errors and following the intended logic easier. With closed source the bad actor (which may even be the company itself) can do what it likes, or just code really shoddily thanks to huge time pressures on the developers to please the shareholders and nobody outside those directly involved with making it that way really know. But as seen plenty of times the white/black hats will notice something and if they don’t disclose it it could take a major event for anybody else to look hard enough to trace the issue. Or the short versions – obscurity isn’t security, Open source will usually get spotted and fixed – in many cases long before the bad new stuff gets to the LTS distro of most normal user, where in closed source you probably won’t get fixes quickly or even know how and why your system was broken… Report comment Reply 1. nowave7 says: March 31, 2024 at 1:56 pm Exactly. People still think that big companies are somehow better than open source projects. Just look at Meta and the recently revealed court case documents stipulating they wholeheartedly went with a full blown man in the middle attack, at least against Snapchat, but could be worse than that. Sure, they got fined, a measley $90 mil, not really a deterrent to stop them for doing similar in the future. Report comment Reply 3. Kleber says: March 30, 2024 at 5:40 am Is it? That is actually that is an _upside_ of opensource. With open source someone has the chance of spotting the malicious code, report it and get it fixed. And yes, we will see more of that in the future. I hope so. I hope vulnerabilities are spotted and promptly fixed instead of hidden. With proprietary code it will stay there forever nobody will ever know. Report comment Reply 1. Ostracus says: March 30, 2024 at 8:03 am Maybe, but the hackers demonstrate all the time that “proprietary” isn’t the barrier people think it is. And one might even argue the latter requires a deeper understanding than open-source presents. Report comment Reply 1. 0xdeadbeef says: March 30, 2024 at 8:19 am I’d argue that what happened here is the complete opposite of what you’re arguing. In this case, a malicious actor managed to take over a project which is used by other large projects – and, while that could lead to mass compromise, it also meant that that project had extreme visibility, causing concern when code fuzzers like Valgrind started throwing seemingly spurious errors. The malicious actor’s method of hiding the exploit to evade early detection proved to be his downfall, and that’s because so many people were involved in this process. That’s a resounding endorsement of open source if there ever was one. Report comment Reply 1. Jan Praegert says: March 30, 2024 at 10:11 am Lets face it: if there is an organized group of bad actors (controlled by governments) with a carefully orchestrated approach, then none would notice for a long time. I wouldn’t attack the OS itself. Way too many egomaniacs searching for honor and exposure. Capture an end-user project that is well liked and almost dead. Something like an editor, game thingy, artist tool, music/video cutter. Tools that not so tech-savvy users download, update, install mods and plugins for without much thinking. Slowly, very slowly install your own group of bad actors. Collect data. Who of us hasn’t his “passwords.txt” on their desktop? Report comment 2. 0xdeadbeef says: March 30, 2024 at 10:39 am > I wouldn’t attack the OS itself. That may well have happened here. Apparently JiaT75 may have made some recent xz commits to the kernel as well. We’ll likely know soon whether they’re malicious or not – I have very little doubt that everything he’s touched is being scrutinized closely. I stand by what I said – while there seems to be a good chance that JiaT75 is a state actor (which further means that ‘he’ is more likely a ‘they’, being an actual team behind the JiaT75 account), this shows that even state actors will have a hard time subverting open source code. Impossible, no, but the more central any given project is to other projects, the harder it’ll be to sneak changes like this under our noses – and yet, for state actors to make a given attack worthwhile, they need to find projects like xz, with little maintainer involvement and central to larger projects. Report comment 3. Foldi-One says: March 30, 2024 at 3:17 pm @Jan I’d have to suggest the way open source works doesn’t easily allow for a new group of state sponsored computer terrorist to take over anything important – look at the pushback something like systemd gets, where the developer is a known ‘trusted’ entity. To get something actually new or manage to cuckoo into an existing important project to the level it won’t be relatively easily noticed or left entirely unused as ‘we are quite happy with the current system thanks’ would be the work of decades probably. And as you would have to actively be putting out good contributions that actually benefit everyone without revealing your long term goal to screw it all up, surviving the scrutiny and inevitable patch/feature submitted by somebody outside the group you can’t actually ignore, because if you do your project is dead and the fork isn’t yours… The web of trust can’t easily be invaded and broken without being noticed, unless you are targeting something so on the periphery – like perhaps a specific driver for a family of USB devices that are probably only really meant to be sold inside the authoritarian regime… As there odds are great almost nobody has the skills, and cares about these devices to look. Report comment 4. Valentijn Sessink says: March 30, 2024 at 9:02 am Much harder for bad actors to hide code in a codebase that they don’t know where it will end up, who compiles it on what architecture and with what, than hiding in a large “secret” codebase that will become a Big Product. Hiding in plain sight is hard. Hiding in plain sight while your hiding place is a playground, a work bench and a meeting point at the same time is even harder. Report comment Reply 5. Robert says: March 30, 2024 at 7:48 am name@PC:~$ liblzma –version liblzma: command not found name@PC:~$ xz-utils –version xz-utils: command not found So I’m safe from this? Report comment Reply 1. 0xdeadbeef says: March 30, 2024 at 10:50 am liblzma is a library, not an executable. xz-utils is a package, not an executable. If you’re on a Debian or Ubuntu-based distro (any distribution which uses .deb packages, and apt/apt-get/synaptic for package management), you can do: $ dpkg -l liblzma\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-================================= un liblzma2 (no description available) ii liblzma5:amd64 5.4.1-0.2 amd64 XZ-format compression library Debian stable (bookworm, Debian 12) isn’t vulnerable, as it still uses liblzma5 5.4.x. Only Debian unstable (sid) and testing pulled 5.6.0 in – and those are now reverted to 5.4.5, if you’ve applied updates since this issue became public yesterday: $ dpkg -l liblzma\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-================-===================-============-================================= un liblzma2 (no description available) ii liblzma5:riscv64 5.6.1+really5.4.5-1 riscv64 XZ-format compression library Note the version here is ‘5.6.1+really5.4.5-1’, since apt doesn’t allow package downgrades without causing significant issues. If you see a package version like that, you should be fine. Report comment Reply 6. William says: March 30, 2024 at 8:09 am Shows the sense in Linux Mint’s philosophy of being behind the curve with updates, users of bleeding edge distros have discovered this nasty before it reaches us. xz -V should let you check if you’re affected, Mint 21 ain’t. Report comment Reply 1. 0xdeadbeef says: March 30, 2024 at 11:02 am Any stable (non-rolling, production-ready) distro should similarly be unaffected. Debian 12 standardized on liblzma5 5.4.x, so it will never be affected, unlike Debian unstable and testing (which pulls packages in from unstable until the freeze occurs when the devs get ready to push it to production). Apparently Arch had pulled the compromised package in, given that it’s a rolling distribution – but since the exploit explicitly looked for deb and rpm package builds (not to mention Arch’s openssh doesn’t have a reliance on liblzma, unlike Debian and RH!), it doesn’t appear to have included the exploit in the package build for Arch. Report comment Reply 7. theschles says: March 30, 2024 at 8:54 am xz a dependency in many many MacOS Homebrew packages (22 installed packages on my system). Today I ran ‘brew update’ and it downgraded my xz: ==> Upgrading 2 outdated packages: … xz 5.6.1 -> 5.4.6 Report comment Reply 1. Gérald says: March 31, 2024 at 3:11 am Just check macport installed packages: port installed … xz @5.4.6_0 (active) … So safe version installed for the moment. Now, this post explains that the malicious code in liblzma is checking if it has been runned explicitely by sshd (and if rr and gdb are available), and in this case (only?) is doing its nefarious job. So it seems that even if anything else than ssd is running infected versions of xz, nothing bad should happen. And since there’s no sshd port in macports, it seems quite unlikely to have any problem on macOS because of this virus. Report comment Reply LEAVE A REPLYCANCEL REPLY Please be kind and respectful to help make the comments section excellent. (Comment Policy) This site uses Akismet to reduce spam. Learn how your comment data is processed. SEARCH Search for: NEVER MISS A HACK Follow on facebook Follow on twitter Follow on youtube Follow on rss Contact us SUBSCRIBE IF YOU MISSED IT * WHERE GRAPH THEORY MEETS THE ROAD: THE ALGORITHMS BEHIND ROUTE PLANNING 26 Comments * SPACE MIRRORS: DREAMS OF TURNING THE NIGHT INTO DAY AROUND THE CLOCK 26 Comments * MINING AND REFINING: TUNGSTEN 14 Comments * WRENCHER-2: A BOLD NEW DIRECTION FOR HACKADAY 41 Comments * TECH SUPPORT… CAN AI BE WORSE? 56 Comments More from this category OUR COLUMNS * UNDERSTAND YOUR TOOLS: FINGER EXERCISES 4 Comments * FICTIONAL COMPUTERS: THE THREE BODY PROBLEM 43 Comments * HACKADAY PODCAST EPISODE 265: BEHIND THE EPIC SSH HACK, 1980S CYBER BUTLER, THE STORY OF SEASON 7 No comments * THIS WEEK IN SECURITY: XZ, ATT, AND LETTERS OF MARQUE 9 Comments * ULTIMATE POWER: LITHIUM-ION BATTERIES IN SERIES 46 Comments More from this category SEARCH Search for: NEVER MISS A HACK Follow on facebook Follow on twitter Follow on youtube Follow on rss Contact us SUBSCRIBE IF YOU MISSED IT * WHERE GRAPH THEORY MEETS THE ROAD: THE ALGORITHMS BEHIND ROUTE PLANNING 26 Comments * SPACE MIRRORS: DREAMS OF TURNING THE NIGHT INTO DAY AROUND THE CLOCK 26 Comments * MINING AND REFINING: TUNGSTEN 14 Comments * WRENCHER-2: A BOLD NEW DIRECTION FOR HACKADAY 41 Comments * TECH SUPPORT… CAN AI BE WORSE? 56 Comments More from this category CATEGORIES Categories Select Category 3d Printer hacks Android Hacks Arduino Hacks ARM Art Artificial Intelligence Ask Hackaday ATtiny Hacks Battery Hacks Beer Hacks Biography blackberry hacks Business car hacks Cellphone Hacks chemistry hacks classic hacks clock hacks cnc hacks computer hacks cons contests cooking hacks Crowd Funding Curated Current Events Cyberdecks digital audio hacks digital cameras hacks downloads hacks drone hacks Engine Hacks Engineering Fail of the Week Featured Fiction firefox hacks FPGA g1 hacks Games google hacks gps hacks green hacks Hackaday Columns Hackaday links Hackaday Store Hackerspaces HackIt handhelds hacks hardware High Voltage History Holiday Hacks home entertainment hacks home hacks how-to Interest internet hacks Interviews iphone hacks ipod hacks Kindle hacks Kinect hacks laptops hacks Laser Hacks LED Hacks Lifehacks Linux Hacks lockpicking hacks Mac Hacks Machine Learning Major Tom Medical Hacks Microcontrollers Misc Hacks Multitouch Hacks Musical Hacks Netbook Hacks Network Hacks News Nintendo DS Hacks Nintendo Game Boy Hacks Nintendo Hacks Nintendo Wii Hacks Nook Hacks Original Art Palm Pre Hacks Parts PCB Hacks Peripherals Hacks Phone Hacks Playstation Hacks Podcasts Portable Audio Hacks Portable Video Hacks PSP Hacks Radio Hacks Rants Raspberry Pi Repair Hacks Retrocomputing Retrotechtacular Reverse Engineering Reviews Robots Hacks Roundup Science Security Hacks Skills Slider Software Development Software Hacks Solar Hacks Space Tablet Hacks Teardown Tech Hacks The Hackaday Prize Tool Hacks Toy Hacks Transportation Hacks Uncategorized Video Hacks Virtual Reality Weapons Hacks Wearable Hacks Weekly Roundup Wireless Hacks Xbox Hacks OUR COLUMNS * UNDERSTAND YOUR TOOLS: FINGER EXERCISES 4 Comments * FICTIONAL COMPUTERS: THE THREE BODY PROBLEM 43 Comments * HACKADAY PODCAST EPISODE 265: BEHIND THE EPIC SSH HACK, 1980S CYBER BUTLER, THE STORY OF SEASON 7 No comments * THIS WEEK IN SECURITY: XZ, ATT, AND LETTERS OF MARQUE 9 Comments * ULTIMATE POWER: LITHIUM-ION BATTERIES IN SERIES 46 Comments More from this category RECENT COMMENTS * lee on Voyager 1 Issue Tracked Down To Defective Memory Chip * lee on IRC Client On Bare Metal * HaHa on Kid’s Ride Gets Boosted Battery, ESP32 Control * asheets on Europa Clipper Asks Big Questions Of The Jovian Moon * Joshua on Voyager 1 Issue Tracked Down To Defective Memory Chip * Pat on Linear Feedback Shift Registers For FPGAs * Joshua on Voyager 1 Issue Tracked Down To Defective Memory Chip * TG on Fictional Computers: The Three Body Problem * TG on Fictional Computers: The Three Body Problem * HaHa on ESP32 Provides Distraction-Free Writing Experience NOW ON HACKADAY.IO * karlvoigt liked Agricoltura - IO. * Home * Blog * Hackaday.io * Tindie * Hackaday Prize * Video * Submit A Tip * About * Contact Us NEVER MISS A HACK Follow on facebook Follow on twitter Follow on youtube Follow on rss Contact us SUBSCRIBE TO NEWSLETTER Copyright © 2024 | Hackaday, Hack A Day, and the Skull and Wrenches Logo are Trademarks of Hackaday.com | Privacy Policy | Terms of Service | Digital Services Act Powered by WordPress VIP By using our website and services, you expressly agree to the placement of our performance, functionality and advertising cookies. Learn more OK Loading Comments... Write a Comment... Email (Required) Name (Required) Website