Attempted backdoor on ssh

[dada_dave]

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

abadidea (@0xabad1dea@infosec.exchange)

so after blearily reading a bunch of blog posts immediately before bed I have come to the conclusion that only one month between the commits and Andres Freund sending what I hope is the most dramatic mailing list post of their career is actually a pretty good turnaround, this could have easily...

infosec.exchange

Basically someone successfully inserted a backdoor into an upstream tarball for a library ssh relies on and thus compromising any server using Linux. It was discovered thanks to performance regressions and some valgrind errors on some systems.

Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux
distributions, and where they have, mostly in pre-release versions.

 

[dada_dave]

Mike Sheward (@SecureOwl@infosec.exchange)

people are saying the xz backdoor is likely the work of a nation state actor, and given that it appears to been slow rolled for a couple of years and immediately became obsolete before it was fully launched - you do have to admit it bears the hallmarks of a government IT project

infosec.exchange

Gordon Messmer (@gordonmessmer@fosstodon.org)

The least surprising thing about the xz vulnerability is that it happened to a widely used project after a maintainer hand-off. We've seen exactly the same thing repeatedly in npm, pypi, browser extensions, and other code marketplaces. Humans don't last forever. Hand-off is inevitable. And I've...

fosstodon.org

Small projects create big risks.
Sustainability is a security concern.

 

[Andropov]

Two years, more than 400 commits. The amount of dedication needed... and it was only caught by a chain of coincidences. Wow.

 

[jbailey]

If you use homebrew or MacPorts you likely have the 5.6.1 version. For homebrew:

brew upgrade

It isn’t likely that your Mac is compromised but xz has been downgraded to 5.4.6 for both brew and MacPorts.

The back door specifically targeted x86-64, Debian, and systemd so it is unlikely that any macOS is targeted but downgrade anyway.

 

[Andropov]

If you use homebrew or MacPorts you likely have the 5.6.1 version. For homebrew:

brew upgrade

It isn’t likely that your Mac is compromised but xz has been downgraded to 5.4.6 for both brew and MacPorts.

The back door specifically targeted x86-64, Debian, and systemd so it is unlikely that any macOS is targeted but downgrade anyway.

Interestingly I had 5.4.5

 

[jbailey]

Interestingly I had 5.4.5

I definitely had 5.6.1 with Python3.8 and something else (I forget). You probably haven’t done a brew update in a while.

 

[Nycturne]

I definitely had 5.6.1 with Python3.8 and something else (I forget). You probably haven’t done a brew update in a while.

I also had 5.4.5.

It looks like 5.6.0 was released on Feb 24th, so it's been about 35 days that the exploit has been in the wild for people on bleeding edge. I'm a bit surprised how quickly Brew picked up the package, to be honest.

 

[dada_dave]

Mike Sheward (@SecureOwl@infosec.exchange)

people are saying the xz backdoor is likely the work of a nation state actor, and given that it appears to been slow rolled for a couple of years and immediately became obsolete before it was fully launched - you do have to admit it bears the hallmarks of a government IT project

infosec.exchange

Gordon Messmer (@gordonmessmer@fosstodon.org)

The least surprising thing about the xz vulnerability is that it happened to a widely used project after a maintainer hand-off. We've seen exactly the same thing repeatedly in npm, pypi, browser extensions, and other code marketplaces. Humans don't last forever. Hand-off is inevitable. And I've...

fosstodon.org

Small projects create big risks.
Sustainability is a security concern.

More on this aspect of the attack:

A Microcosm of the interactions in Open Source projects

Originally a thread on Twitter about the xz/liblzma vulnerability, when I finished typing it, I realized I had a real world slice of Open Source interaction that deserved more attention.

robmensching.com

It makes for some chilling reading where the attacker took advantage of a maintainer being behind and struggling with mental health issues and then “helpfully” offered the solution of taking over using the usual online gang up to effectively force the original person out.

As the article states, this is so prevalent in open source software that this behavior alone wouldn’t even register as an attack.

 

[dada_dave]

On the other hand

Though I’d describe it more as a undocumented middle door for the Boeing plane

 

[Yoused]

Well, the middle door itself was not undocumented. Prettymuch everyone knew it was there. Just, no one expected it to get used in flight.

 

[dada_dave]

Well, the middle door itself was not undocumented. Prettymuch everyone knew it was there. Just, no one expected it to get used in flight.

True

 

[ArgoDuck]

Well, the middle door itself was not undocumented. Prettymuch everyone knew it was there. Just, no one expected it to get used in flight.

An undocumented feature of the door perhaps

 

[mr_roboto]

IIRC, the undocumented thing was the bolts which got left out when the door was reassembled. As in, if they were following good process, all the parts taken off the aircraft should have been labeled and stored such that at the end of the job, they could inventory stored parts and easily see "hey there's some bolts here which weren't ever reinstalled!" Or even just look at the paper trail.

 

[Cmaier]

IIRC, the undocumented thing was the bolts which got left out when the door was reassembled. As in, if they were following good process, all the parts taken off the aircraft should have been labeled and stored such that at the end of the job, they could inventory stored parts and easily see "hey there's some bolts here which weren't ever reinstalled!" Or even just look at the paper trail.

Or even a checklist for the repair (which apparently they did a lot), which required someone to take responsibility and initial that each step was completed.