[BCLUG] [DISCUSS] Backdoor found in widely used Linux utility

Sat Mar 30 03:40:21 EDT 2024

L. V. Lammert wrote on 2024-03-29 13:08:

> Seems to make the case to only use standard tools like gzip?

Nah, reading further on it (comments on ArsTechnica.com are great - lots
of links to follow), this compromises ssh, you don't need xz.

There's some talk that issues with Postgres and Valgrind were spotted a
while back; unsure if related but sounds quite similar.

Debian, Ubuntu, Macs, and Fedora were all targeted. Mac's "brew" had an
upgrade today of xz from v5.6 to v5.4 - so it was rolled back there.

Ubuntu didn't include the changes; Debian and Fedora did, briefly (as I
understand it).

This could have been on the scale of HeartBleed or larger. If all the
computers running sshd on Debian and Fedora had this vulnerability on
them, it'd be catastrophic.

Ala SolarWinds, etc.

The questions being asked are, who is Jia Tan (JiaT85), and the others
who petitioned to get these updates into other packages - they have
Scandanavian and Indian names, popped up like sock puppets requesting
these "new features in xz get merged", then disappeared.

This was only discovered because someone happened to be testing
something and a ½ second delay in rejecting ssh connections caught his
attention.

Wow, we all just dodged a bullet.

Oops, Kali Linux distributed the backdoor'd code:

https://www.kali.org/blog/about-the-xz-backdoor/

> The impact of this vulnerability affected Kali between March 26th to 
> March 29th, during which time xz-utils 5.6.0-0.2 was available. If 
> you updated your Kali installation on or after March 26th, but
> before March 29th, it is crucial to apply the latest updates today
> to address this issue.

The Linux kernel uses xz for squashfs compression:

https://lore.kernel.org/lkml/20240320183846.19475-1-lasse.collin@tukaani.org/t/

It seems to have made its way into Debian Sid:

> After observing a few odd symptoms around liblzma (part of the xz
> package) on Debian sid installations over the last weeks (logins with
> ssh taking a lot of CPU, valgrind errors) I figured out the answer:
> 
> The upstream xz repository and the xz tarballs have been backdoored.

https://www.openwall.com/lists/oss-security/2024/03/29/4

> Careful: the exploit code ends up in liblzma, which on typical binary
> distributions package separately from xz-utils. On vulnerable
> distributions, that package gets pulled in (without pulling in
> xz-utils) when installing sshd.
> 
> So whether the distribution included xz-utils by default doesn't
> affect whether you're vulnerable.

https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/?comments=1&post=42712832