XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
-
@mcury said in XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access:
That guy, if I'm not mistaken, was there for around two years building reputation..
That was pretty nasty to say the least.Yeah, that indeed is scary. You have to wonder about moles playing equally long games in other projects. I'm assuming this guy was funded by a nation-state's intelligence apparatus, because who else is going to put in that kind of effort? (Or else his account was broken into, but people seem to think not.)
-
Writeup in Ars
https://apple.news/A9xzZKmgVSQOqWrHZsotu-Q -
@tgl said in XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access:
I'm assuming this guy was funded by a nation-state's intelligence apparatus, because who else is going to put in that kind of effort? (Or else his account was broken into, but people seem to think not.)
That is the question I'm asking myself right now
-
@SteveITS said in XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access:
Writeup in Ars
https://apple.news/A9xzZKmgVSQOqWrHZsotu-Qhm, so Fedora decided to revert to the 5.4.x versions of xz Utils ? That was a different approach than Arch did.
I'm not sure if that is going to be enough.https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/issues/2
-
That is something to think about, this guy wasn't shooting randomly..
-
@mcury โHe has been part of the xz project for 2 yearsโ
Seems very fortunate it was caught before hitting production Linux releases. Though it sounds like MacOS packages were using it.
-
a little history:
got this link from EnOS forum:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor -
the github repo has been disabled...
nice
-
@mcury said in XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access:
hm, so Fedora decided to revert to the 5.4.x versions of xz Utils ? That was a different approach than Arch did.
I'm not following? The discussion you linked showed Arch doing exactly the same thing.
It's surely not unreasonable to worry about every version signed by the compromised developer (and I'm confident there are people putting 5.4.x under a microscope right now). My bet though is that the pre-5.6 versions don't actually contain anything dangerous. The developer showed his hand by pushing for 5.6 to be spread rapidly, as he'd not done for the earlier releases.
-
There's enough pain to go around here!
-
@tgl said in XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access:
The developer showed his hand by pushing for 5.6 to be spread rapidly, as he'd not done for the earlier releases.
This is huge, the FOSS community will take time to recover and I think things are going to change permanently from now on..
I'm trying to look at it in a different perspective and not witch hunt as mentioned here in this threadbig blow to the stomach that this was.
-
I hope pfSense is not affected, 2.7.2 show:
xz --version xz (XZ Utils) 5.4.4 liblzma 5.4.4As far as i can follow the bug report on Debian [1] it's still not clear revert to 5.4.5 is enough since the
last version of a trusted person was 5.4.1.[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#72
-
In my own personal opinion it's unlikely because this exploit targeted specific Linux distros. sshd with a patch for systemd integration which obviously doesn't apply to FreeBSD.
However that's only the known exploit. Whist nothing in known in other versions we are monitoring the situation closely.
-
@stephenw10 said in XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access:
However that's only the known exploit. Whist nothing in known in other versions we are monitoring the situation closely.
They are evaluating libarchive now, there are commits from the same developer.
What haunts me is that we don't know how deep this going to go.. -
@mcury said in XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access:
What haunts me is that we don't know how deep this going to go..
Yes, I'm afraid that's not the end of the story, this has the potential for a really nightmare.
But at the moment we can only monitoring the situation as @stephenw10 said. -
A couple months ago I was testing openVPN and I could see my IP traverse the firewall however after I disconnected something else was connected a IP address from digital oceans IP block, I have logging enabled on the firewall and you could see the enumeration occurring so I killed the state and only allow VPN connections from specific IP addresses. Think about eternal blue, they patch it but the bug reappears over and over. Cyber security teams need to stay one step ahead of abuses.
-
@mcury thanks for sharing, does this effect 230501? Or 230901??
-
@JonathanLee said in XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access:
@mcury thanks for sharing, does this effect 230501? Or 230901??
No.
This problem is still being under investigation, so everything I'll say and have said before, take with a grain of salt.According to what has been said in github, reddit, phonorix, IRC channels and along, the targets were RHEL and debian/derivatives distros only.
Arch (which my system is based on and I use everyday) was kind of lucky because Arch don't use tarlball and openssh does not directly use liblzma.Also, you would need to have ssh service enabled and open to the internet.
The backdoor would somehow be able to bypass ssh keys and allow remote control, which by itself is a 10 vulnerability score CVE.But, as I see it, Arch has a lot of homework to do.. this developer was the maintainer of absolute most of Arch packages..
Mostly inside any chinese project from Deepin to stuff like that. -
@mcury thanks for the reply I wonder about raspberry pi also, that does use its own flavor however you can add on packages to it
-
I believe the only known exploit targetted amd64 only.
