Backdoor in `xz` found, affects ssh (linux remote desktop connections)

[mrparrot2]

A backdoor was found in Linux most used compression library: liblzma, affecting the SSH Server service (sshd).

https://www.wired.com/story/jia-tan-xz-backdoor/
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://nvd.nist.gov/vuln/detail/CVE-2024-3094

You can check if you are running SSH server by running:

systemctl status sshd

If it reports itself as being active, then check for the `xz` version:

$ xz --version

If it reports itself being 5.6.0 or 5.6.1, you machine was most likely compromised. Update it **immediately** .

 

[Plazorn]

It was discovered by Microsoft employee and developer Andres Freund. Good thing he spotted it, for it could have been catastrophic

 

[Flame]

This story is mad. How did Linux open source remote desktop connections have a backdoor? Who put it there. And the maddest part is a Microsoft employee found it?

LOL!

 

[linuxares]

This story is mad. How did Linux open source remote desktop connections have a backdoor? Who put it there. And the maddest part is a Microsoft employee found it?

LOL!

You didn't know that Microsoft makes their own linux? CBL-Mariner is it's name

 

[SylverReZ]

This story is mad. How did Linux open source remote desktop connections have a backdoor? Who put it there. And the maddest part is a Microsoft employee found it?

LOL!

Long story short, a user who was a contributor for the project, added the backdoor in question.

 

[Flame]

You didn't know that Microsoft makes their own linux? CBL-Mariner is it's name

I know it does help Linux in ways. But when I think of Linux I think of distro such as Ubuntu, fedora and arch and what not.


yes, i know Linux is a kernel and not a distro.

 

[Sir Tortoise]

Open-source is a nice way to work but it's not a magic shield against malware. Makes me wonder what else is compromised and hasn't been big enough to luck into having someone actually check it.

 

[mrparrot2]

This story is mad. How did Linux open source remote desktop connections have a backdoor? Who put it there. And the maddest part is a Microsoft employee found it?

LOL!

Here is the catch: the attacker compromised liblzma (library of compression algorithms) which is used by sshd (remote desktop). At some point in sshd execution It will call a function in liblzma to uncompress something and that is the point where the malicious code takes action.

Open-source is a nice way to work but it's not a magic shield against malware. Makes me wonder what else is compromised and hasn't been big enough to luck into having someone actually check it.

Yes. If someone compromise even more basic stuff (like a compilar or linker, for example) the attack could in theory embed their malicious code in every generated binary. This kind of attack os very nasty and I think we should expect attempts of this sort to happen more often.

This kind of stuff have already been shown to be quite dangerous by Ken Thompson himself in 1984: http://wiki.c2.com/?TheKenThompsonHack

 

[tech3475]

So far it only seems to be unstable/bleeding edge distros which are affected e.g. Arch. Fortunately it seems to have been caught before entering any stable/LTS releases.

Also, I've heard that it's been advised to use the distro's repo software as opposed to checking the library directly.

And the maddest part is a Microsoft employee found it?

The story goes that the MS employee noticed SSH was slower on the newer release and upon further investigation discovered the exploit.

Open-source is a nice way to work but it's not a magic shield against malware. Makes me wonder what else is compromised and hasn't been big enough to luck into having someone actually check it.

Open Source as a security measure is only as good as the people auditing it. Unaudited code effectively has no difference to a binary blob otherwise IMO.

That said, in this case it was the 'tarballs' which were targeted, the actual source code itself was fine when used in a certain way so as not to trigger the exploit.

Apparently though there has been a scramble to audit other projects the username has worked on.

Here is the catch: the attacker compromised liblzma (library of compression algorithms) which is used by sshd (remote desktop). At some point in sshd execution It will call a function in liblzma to uncompress something and that is the point where the malicious code takes action.

Should point out it wasn't the creator of XZ but someone taking over from them due to burnout.

 

[a_username_that_isnt_cool]

Not-so-funnily enough when loading this page I got an unexpected database error. I was like "oh no they used t he backdoor on gbatemp!!"