XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

JonathanLee

A couple months ago I was testing openVPN and I could see my IP traverse the firewall however after I disconnected something else was connected a IP address from digital oceans IP block, I have logging enabled on the firewall and you could see the enumeration occurring so I killed the state and only allow VPN connections from specific IP addresses. Think about eternal blue, they patch it but the bug reappears over and over. Cyber security teams need to stay one step ahead of abuses.

JonathanLee

@mcury thanks for sharing, does this effect 230501? Or 230901??

mcury

@JonathanLee said in XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access:

@mcury thanks for sharing, does this effect 230501? Or 230901??

No.
This problem is still being under investigation, so everything I'll say and have said before, take with a grain of salt.

According to what has been said in github, reddit, phonorix, IRC channels and along, the targets were RHEL and debian/derivatives distros only.
Arch (which my system is based on and I use everyday) was kind of lucky because Arch don't use tarlball and openssh does not directly use liblzma.

Also, you would need to have ssh service enabled and open to the internet.
The backdoor would somehow be able to bypass ssh keys and allow remote control, which by itself is a 10 vulnerability score CVE.

But, as I see it, Arch has a lot of homework to do.. this developer was the maintainer of absolute most of Arch packages..
Mostly inside any chinese project from Deepin to stuff like that.

JonathanLee

@mcury thanks for the reply I wonder about raspberry pi also, that does use its own flavor however you can add on packages to it

stephenw10

I believe the only known exploit targetted amd64 only.

tgl

@JonathanLee
You really only need to worry if you are using a bleeding-edge distro that ships very latest upstream packages. xz 5.6.x was new in the last month or two and hadn't made it into anything beyond beta-grade releases of popular distros.

If it turns out that the compromised developer snuck something exciting into xz 5.4.x, or into other packages that he reportedly worked on, then a lot of people are in for a lot of work. But there's no reason to think that yet.

We were all very fortunate that this got caught so early ...

mcury

@stephenw10 said in XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access:

I believe the only known exploit targetted amd64 only.

yes, image got from github.

provels

FWIW, my Debian 12 Bookworm sys shows xz (XZ Utils) 5.4.1, liblzma 5.4.1 and was just upgraded a couple days ago.
Think they backed down the xz version?

mcury

@provels said in XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access:

FWIW, my Debian 12 Bookworm sys shows xz (XZ Utils) 5.4.1, liblzma 5.4.1 and was just upgraded a couple days ago.
Think they backed down the xz version?

https://security-tracker.debian.org/tracker/CVE-2024-3094

mcury

Alan DeKok speaking about XZ back door: Chief Executive Officer of networkradius.com
https://lists.freeradius.org/pipermail/freeradius-users/2024-April/104263.html