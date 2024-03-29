xz-utils are compromised and inject malicious code
= Debian:
Debian Security Advisory DSA-5649-1
[SECURITY] [DSA 5649-1] xz-utils security update
Package : xz-utils
CVE ID : CVE-2024-3094
Andres Freund discovered that the upstream source tarballs for xz-utils,
the XZ-format compression utilities, are compromised and inject
malicious code, at build time, into the resulting liblzma5 library.
Right now no Debian stable versions are known to be affected.
Compromised packages were part of the Debian testing, unstable and
experimental distributions, with versions ranging from 5.5.1alpha-0.1
(uploaded on 2024-02-01), up to and including 5.6.1-1. The package has
been reverted to use the upstream 5.4.5 code, which we have versioned
5.6.1+really5.4.5-1.
Users running Debian testing and unstable are urged to update the
xz-utils packages.
For the detailed security status of xz-utils please refer to
its security tracker page at:
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
= Red Hat:
"What distributions are affected by this malicious code?
Current investigation indicates that the packages are only present in Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem.
No versions of Red Hat Enterprise Linux (RHEL) are affected.
We have reports and evidence of the injections successfully building in xz 5.6.x versions built for Debian unstable (Sid). Other distributions may also be affected. Users of other distributions should consult with their distributors for guidance."
= OpenWall: (With more details at openwall link above)
"After observing a few odd symptoms around liblzma (part of the xz package) on
Debian sid installations over the last weeks (logins with ssh taking a lot of
CPU, valgrind errors) I figured out the answer:
The upstream xz repository and the xz tarballs have been backdoored.
At first I thought this was a compromise of debian's package, but it turns out
to be upstream."
(Score: 5, Interesting) by AlwaysNever on Saturday March 30, @07:45AM (6 children)
...to compromise sshd via the systemd dependency on the compromised xy library.
Thanks, systemd.
(Score: 3, Insightful) by janrinok on Saturday March 30, @08:03AM (5 children)
It wouldn't matter which OS you were using, if you get a compromised package into your system then anything that depends on that package will be compromised too. I understand your systemd hate, but that isn't the issue here. The problem is that there are no checks being made by a second person on code commits upstream.
(Score: 5, Insightful) by Unixnut on Saturday March 30, @08:27AM (4 children)
I think his point was that sshd would not have been vulnerable had it not needed to interface with systemd for notifications. That was the requirement that pulled in the xz library which resulted in this compromise.
I generally agree with the sentiment that core systems for things like remote access (i.e. ssh) should have the smallest attack surface possible and therefore should avoid any dependencies that are not critical to its functioning. Integrating systemd notifications is one of those "non critical" functions, especially as there are alternative ways to notify systemd that doesn't involve library integration.
Thankfully I only run BSD and Devuan stable, and have checked that my versions are not vulnerable, however for others this could be quite a headache to deal with.
(Score: 3, Insightful) by janrinok on Saturday March 30, @09:55AM (3 children)
I understood that.
For me, the fact that nobody is checking commits into a repo is a much more serious problem. I have several programs that use xz-utils (current version 5.2!) so which one of them should shoulder the blame is less important to me. If you read other links by searching on Goog, then you will find a lot of discussion about 'how' this could have happened.
(Score: 5, Interesting) by canopic jug on Saturday March 30, @10:50AM (2 children)
Here is a writeup at somewhat dodgy site, Substack, but forwarded via the OpenBSD Misc mailing list. OpenBSD, the developers of OpenSSH, have a stake in this:
At some point some Linux distros make their edition of OpenSSH dependent on systemd. Then, seeing that, apparently someone tracked down a systemd dependency where there was a single, tired, and ailing maintainer. Then a fake persona was set up followed by a slew of sock puppet accounts pushing the original, lone, tired, and ailing maintainer to hand over the reins. Once in charge, the fake account did maintenance for a while before eventually using the increased access to ease a well hidden backdoor inside one of the build scripts.
Systems which do not use systemd, and instead follow the KISS principle, are obviously not affected.
With the rebuilding of the Soylent News servers in the future, I hope that an OS or distro without SystemD is deployed. On the server, there's no excuse ever for systemd.
(Score: 1, Disagree) by gnuman on Saturday March 30, @02:22PM (1 child)
Wait, is this the argument along the lines of "but what was she wearing"? Because systemd had nothing to do with this attack vector. If maintainers don't want, they can turn off systemd integration. Easy.
https://docs.kernel.org/staging/xz.html [kernel.org]
The so called "poorly maintained library" had a kernel module to accelerate things. Similarly, zlib has dedicated hardware acceleration on specific architectures.
So, how about we blame the malicious actor that planned adding these things months, if not years, ahead of time via fake "example of corrupted archive" in test data? This exploit was not enabled in the git repo. It was enabled in the release tarball only. The git repo that actually had reviewed code didn't have this exploit activated.
(Score: 5, Insightful) by canopic jug on Saturday March 30, @02:42PM
The vector for the OpenSSH compromise was via a library required by systemd. On systems without systemd, and without systemd being tied into OpenSSH, there is no problem for OpenSSH. See the linked article in my post above.
Furthermore, turning off systemd integration is very hard. It's not a trivial task, such as being a matter of a configuration setting. Observe the enormous effort required to sanitize packages from Debian to create systemd-free Devuan. It's not easy work in the least and, on top of that, there is an increasing volume that work to do as systemd metastasizes further through out Debian varied packages.
At the end of the day it comes down to xz being compromised with some really obfuscated code which activates only in OpenSSH. Having a bad copy of xz won't in and of itself let your system get breached. However, having xz compromise an Internet-facing OpenSSH daemon via systemd will. The offending xz code is still being analyzed so this is really a developing story and could have gone under the Breaking News category instead.
(Score: 3, Interesting) by bzipitidoo on Saturday March 30, @08:53AM (5 children)
I suppose better security for Linux is overdue. For native Linux virus scanners, I know of only ClamAV. In general Linux security depends too much on system and network administrators checking things manually and keeping a sharp eye open for anything anomalous.
How do you detect this? By noticing that /var/log/messages has recorded a lot of remote logins via ssh? Even if intruders don't cover their tracks by erasing such evidence from the logs, that method still involves finding out that your system is compromised well after the fact. So, by hearing this news that xz might be compromised? Then, if you try "xz --version" of course you may be running the compromised code. File tells you some things about a binary, but not the version. To find out which version I had without running it, I settled on a hexdump of the xz binary, and a search through that for "5.4" and "5.6". And I found the version number almost right away. I have 5.4.6. With that assurance that I didn't have the compromised version, I verified that xz self-reported the same version number.
(Score: 2) by PiMuNu on Saturday March 30, @08:56AM
For apt users, I believe 'apt-show-versions' will work, unless the apt setup has been compromised in some improbable way.
(Score: 2) by DrkShadow on Saturday March 30, @11:06AM
This is such a dumb question. I'm going to have to edit my definition of "dumb question," because this is one.
You either already are running it, it's *already loaded* into your SSHD, or you're not vulnerable. Or, MAAAYBE, you have installed openssh server but you don't have it set up to RUN. (Such people are not asking this question.)
So check it or forever wonder.
(Score: 2) by Rich on Saturday March 30, @11:57AM
What can you do against such upstream attacks with a "virus scanner"? These look legit until they are discovered and then the notification path through your distro upgrade is one stop shorter than through any anti-malware solution and then through your distro upgrade.
A scanner can point out something that is supposed to be not there. It is outclassed by a sealed base system (*), which makes sure that everythis is as it is supposed to be. Beyond that it's trust in the upstream suppliers. Did anyone grill the people (or "people") responsible for the Debian PRNG and Apple "goto fail" issues about what went on? Will anyone investigate what was behind "Jia Lin"?
Sidenote: It was bizarre that this was discovered by some guy at Microsoft, and I'd assume that he was not part of any conspiracy, because the number of conspirators has to be kept small to keep the secret from leaking. If a great number of people were involved in such operations, someone would eventually become disgruntled and disclose and/or defect.
(*) tough for me to write this, but asl long as you can unseal/seal yourself without penalty, it should be fine.
(Score: 1, Informative) by Anonymous Coward on Saturday March 30, @12:53PM
The exploit is in liblzma rather than xz itself, and that code checks if the calling program is sshd - running xz itself is not dangerous, and there's little danger on a non-systemd or non-linux install. This exploit isn't going to effect anyone running a server, because they're almost certainly not running unstable releases.
(Score: 3, Interesting) by Mojibake Tengu on Saturday March 30, @04:40PM
Any intrusion into system base component is unmanageable. It is essential to keep system base small, for sanity of code auditors. Existence of (statically linked) /sbin in Unix was part of that sanity effort, for decades.
On the contrary, Linux corporates generate marketing pressure by system base design bloat. It's economic decision, though anti-engineering.
Demolition of /sbin, introduction of systemd, removal of operator account, all courtesy of Linux distros corporations, was instrumental in overall decreasing robustness of Linux platforms.
At first glance all that looks pure stupid, but there is a strict strategy behind that. It's a Microsoft/Apple model of business narcissistic first rule (of eight classical narcissist rules) undermine others in an attempt to gain power or feel superior.
Perhaps they will need to learn the harder way one day.
(Score: 5, Interesting) by PiMuNu on Saturday March 30, @08:54AM (7 children)
The good news is that this was caught, within two months and before it hit stable (also in my distro). The bad news is that it was probably quite a novice bad person doing the hacking, given the sorts of errors that they produced. A more professional person would not make these sorts of errors. Would it be caught? (Or better question - what hasn't been caught?)
(Score: 4, Insightful) by pTamok on Saturday March 30, @12:48PM (3 children)
Or better question - what hasn't been caught?
You are on the nose with that question.
Which is the reason that (security-related) 'stuff' should be a simple as possible, and audited to hell and back.
It is stunning that there is no standardised secure hardware for running a password manager (and keeping other secrets). People use 'smart'phones, which are basically a set of security vulnerabilities in solid form. PCs are little better (but don't generally have a broadband processor).
Almost no-one takes security seriously. And on that point, Prof. Ross Anderson died yesterday.
https://en.wikipedia.org/wiki/Ross_J._Anderson [wikipedia.org]
https://news.ycombinator.com/item?id=39864210 [ycombinator.com]
A great loss to the security community.
(Score: 4, Informative) by canopic jug on Saturday March 30, @12:56PM (2 children)
A more appropriate link covering the death of security specialist Ross Anderson at Cambridge would be the post RIP Ross Anderson [lightbluetouchpaper.org] at The Light Blue Touch Paper at the University of Cambridge, where he worked. It's not nice to steer traffic to the censorious, anti-FOSS orange sites. Of his works, the Security Engineering: A Guide to Building Dependable Distributed Systems [cam.ac.uk], 3rd Edition, is well worth looking at.
(Score: 2) by turgid on Saturday March 30, @03:59PM (1 child)
Is Hacker News anti-FOSS?
(Score: 0) by Anonymous Coward on Saturday March 30, @05:18PM
More pro-corporate and pro-monetization-of-everything than anti-FOSS. The "hacker" contingent doesn't speak anywhere near as loudly as the "tech-bro-with-an-IPO" and contingent.
(Score: 5, Interesting) by gnuman on Saturday March 30, @02:26PM (2 children)
This wasn't a novice doing the haxing. This took some planning and effort and obfuscation. It was caught only because someone was investigating a performance regression. Think about it.
The crux of the problem is that we are not even checking if the release tarball contains the sources from the git repo. In this case, it didn't.
(Score: 2) by turgid on Saturday March 30, @03:47PM
People are way too lax in general about software quality. It's drudge work, but it's important.
(Score: 2) by canopic jug on Saturday March 30, @04:36PM
The crux of the problem is that we are not even checking if the release tarball contains the sources from the git repo. In this case, it didn't.
xz sounded like a one-man show which is hard on everybody not the least on the maintainer himself. It's ok to put put projects on ice and deaccession packages. With only one maintainer, xz could have been removed. As a positive example in that regard, the OpenBSD project has no qualms about dropping services, components, and such from its base system on the occasions when there is not a developer available to act as steward. Even with a steward, the code is not modified in isolation. From what I understand, all modifications by developers have to be approved by two other developers able to audit the modification. Third party contributions go through one of the approve developers.
At least at this early stage when so little is known about the injected code, it looks like following that model would have prevented the backdoor from entering the code base: In the one case, xz would have been retired due to lack of developer support. In the other case, two other developers would have reviewed the code changes and might have caught the sneaky trick before adding it to the official code base.
However, all of that also depends on valuing and prioritizing simplicity, correctness, and clarity. Much of the reason for the ever increasing complexity of the Linux distros seem to be non-technical and political. Complexity steers control of project over to the investors which can afford top work past the complexity. Sadly as side effect of the complexity is reduced security. In contrast, simplicity not only enhances security (audibility, plus if it's not there it can't break) it first and foremost decentralizes control and governance. That rubs some groups, including the powers that be, the wrong way.
(Score: 4, Interesting) by turgid on Saturday March 30, @04:12PM
This reminds me of something I stumbled upon a few years back "Xz format inadequate for long-term archiving [nongnu.org]." It's more to do with the general design of the container format, but it was never great to begin with. Once I read that I started to use lzma instead for new stuff.
(Score: 0) by Anonymous Coward on Saturday March 30, @05:06PM
This is the price that is paid by Lennart and RedHat betraying the original philosophy of doing one thing and doing it well. I understand there are positives introduced by systemd, that certain features exist and problems are solved such as guaranteeing the correct order of service launching and so on... But at the expense of making an exploit like this possible is a raw deal.
Here on Gentoo with OpenRC I'd be immune anyway, but the gentoo package tree has already pushed a downgrade to 5.4.2 for xz-utils (because Gentoo allows users to build with systemd if desired, so those system owners would be relevant). As for Raspbian I saw an "upgrade" to this version: xz-utils (5.6.1+really5.4.5-1).
