Email or username:

Password:

Forgot your password?
Kevin Beaumont

HT to @wdormann here - somebody has backdoored the open source project XZ which has downstream impacts.

For example, although OpenSSH doesn’t use XZ, Debian patch OpenSSH and introduced a dependency which translates as the XZ changes introducing a sshd authentication bypass backdoor it appears.

One dude bothered to investigate in his free time about why ssh was running slow, so it was caught fairly early - i.e. hopefully before distros started bundling it.

openwall.com/lists/oss-securit

56 comments
Kevin Beaumont

Worryingly it looks like the backdoor comes via one of the two main devs and dates back over a month from their GitHub account, with legit commits too - XZ is used in systemd so this one might play out for a while.

Ed Maste

@GossiTheDog We're incredibly lucky that it wasn't more sophisticated, or it may have gone unnoticed for a long time.

Alex Haydock

@emaste @GossiTheDog Pretty wild that the implication is that this particular backdoor was only caught because it was coded badly enough to have a significant performance impact. What if it’d been better written, I wonder?

Kevin Beaumont

@alexhaydock @emaste long lasting backdoor, wouldn’t be the first time

Kevin Beaumont

I suspect distros probably want to roll XZ back to around January 2024, stop bundling updates until the developer is removed in GitHub or a logical explanation can be given, and somebody needs to fund a code review of it.

Kevin Beaumont

Here we go: bleepingcomputer.com/news/secu

As I said, the impact here will be very limited due to how quick it was caught. Everybody owes the finder a beer.

Tryst

@GossiTheDog I'm sure the FBI will thank him in their traditional fashion for cyber security saviours

Dan McDonald

@GossiTheDog indeed we do.

This exploit was carefully aimed at Linux using systemd launched SSH. We non Linux folks can breathe a hair easier but who knows what else is going on. Don't panic but definitely be cautious.

Toasterson

@GossiTheDog That specific dev contributed to wasmtime etc too. So more projects need audits.

Kevin Beaumont

Postgre developer @AndresFreundTec saving Linux security from backdoors as a side of desk activity

NosirrahSec 🏴‍☠️

@GossiTheDog @AndresFreundTec

"Oops, I just stopped a massive operation that could have brought down everything under the sun, accidentally." *flexes*

Kevin Beaumont

The person/account on XZ repo also altered the security disclosure policy on that and other repos they author in months prior.

jbaggs

@GossiTheDog That's interesting. So basically removed all of the requests for specific information, and left reporting as: "send us an email or something"?

Kevin Beaumont

@jbaggs yeah. So they changed one to “If you discover a security vulnerability in this project please report it privately. Do not disclose it as a public issue.” as an example. Looks like a long game attack.

jbaggs

@GossiTheDog I had just looked at the one on xz. That's definitely worse.

jaark

@GossiTheDog

How long before the numpties begin combining this with their Baltimore bridge cyber conspiracy theories?

Kevin Beaumont

Interesting find by @fuomag9 - the XZ repo person tried getting Ubuntu to update yesterday by filing a bug report bugs.launchpad.net/bugs/205941

Kevin Beaumont

The Twilight zone time - a bug from 2015 comes back around in XZ incident, it appears github.com/google/sanitizers/i

uoxc

@GossiTheDog wait, are we at "implementing features to get plausible deniability for evading vuln scanning?"

Because if so this feels quite novel. At the very least I can't remember a comparable supply chain attack of this sophistication from the top of my head

Tony Hoyle

@uoxc @GossiTheDog Doesn't need to be that sophisticated..

Either (a) developer continues submitting other work whilst compromising at least one project. or (b) the account is in use by two people - the real developer and a hacker.

So the question becomes compromised account or compromised developer.

In the first case it's not that unbelievable that someone who was up to no good would try to cover their tracks by doing other unrelated things.

Bill

@GossiTheDog @fuomag9 @gabrlelle says "THIS IS WHY I HAVE TRUST ISSUES."

🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈 :verified:

@GossiTheDog @fuomag9 Interesting that Debian and other distros already knew about the issue (on embargo) and were already reverting, but Ubuntu didn’t seem to know about it yet from these comments

Also, reading these comments apparently 5.6.0 was already on ubuntu?

Adam :lsio:

@GossiTheDog either that or whatever build infra they're using for the release tarballs has been compromised.

Samantaz Fox

@spad @GossiTheDog No, because one part of the backdoor lies in the version controlled code. Only the trigger is missing from git and present in the tarballs.

⠠⠵ avuko

@SamantazFox @spad @GossiTheDog could be, but I’m not certain. I haven’t dug into this besides some quick reading, but something feels odd to me about the nature of the attack. It is almost like someone took benign code and used it like “gadgets”. Caveat: Just a hunch at this time.

Samantaz Fox

@GossiTheDog That's my concern as well. It's super easy to contribute code and make a good impression, leading to the core maintainers trusting you, and in turn getting enrolled in the core team because everyone is tired. I wonder how many other projects have bad actors in their core team.

Addison

@GossiTheDog@cyberplace.social Even wilder, the original developer may have been a target of a pressure campaign to get them to pass maintenance on to the second individual: https://mastodon.social/@vegard/112181070803627404

see shy jo

@GossiTheDog @wdormann it was included in debian testing and unstable, they've released a fix now

Will Dormann

@GossiTheDog
The lesson to be learned from all of this is...
Threat actors should make sure that their code doesn't throw any Valgrind errors?
😬

Felix :thisisfine: Eckhofer

@wdormann @GossiTheDog ... or slows down user facing interactions

Really just incredible luck that this was found. One has to wonder how many malicious changes are never detected.

stephen

@GossiTheDog
That is an impressive writeup for someone who is "not security researcher, nor a reverse engineer"

Leeloo

@GossiTheDog @wdormann
What is it with Debian and patces that end up being security holes?

OpenSSH, OpenSSL...

Sami Juvonen

@leeloo @GossiTheDog @wdormann Maybe read the announcements before spouting stupid hot takes?

Leeloo

@sjuvonen @GossiTheDog @wdormann
Are you trying to say that I missed something? Then say it, rather that throwing accusations.

As I understand it, Debian took a heavily audited piece of code (OpenSSH), added a patch to use a library from an untrusted source, who then (allegedly deliberately) added a back door.

What am I missing?

Sami Juvonen

@leeloo You’re the one throwing accusations. Explain how Fedora and openSUSE among others using the same libs and being similarly affected is Debian’s fault? Everybody’s doing it because xz is a dependency of systemd.

Clout chasing by pissing on foundational open source projects would probably fly better on LinkedIn.

Leeloo

@sjuvonen
I'm not the one making the decisions at Fedora or SuSE, why (or how) should I explain their decisions?

I'm also not the one claiming Debian added a patch, that was from the post I replied to.

And if systemd really requires non-systemd daemons to link to random compression libraries, systemd is a lot worse than I have ever claimed.

EmberQuill :v_gf:

@leeloo @sjuvonen @GossiTheDog @wdormann

(obligatory "I'm not an expert, but...")

The patch to OpenSSH makes it work with systemd-notify, which comes from a trusted source, which relies on lzma, also from a trusted source, which is used as a vector to load the backdoor from xz (also from a supposedly-trusted-until-now source) into sshd.

The same or similar patch is applied to OpenSSH in most systemd-based distros. It was noticed on Debian but affects pretty much any distro using deb or rpm packages. Other distros patch OpenSSH but the exploit only triggers on deb/rpm distros since most servers use one of the two package formats.

This is a long con, and honestly the only people at fault are the bad actors themselves. Assuming Jia Tan's GitHub identity and pgp key weren't compromised by someone else, this backdoor appears to be the culmination of three years of work.

@leeloo @sjuvonen @GossiTheDog @wdormann

(obligatory "I'm not an expert, but...")

The patch to OpenSSH makes it work with systemd-notify, which comes from a trusted source, which relies on lzma, also from a trusted source, which is used as a vector to load the backdoor from xz (also from a supposedly-trusted-until-now source) into sshd.

Kevin Beaumont

@emberquill @leeloo @sjuvonen @wdormann yep, good take I think based on what we know so far, disclaimer that I am an idiot

In mid 2023 the presumed attacker got OSS Fuzzer to decrease detection on XZ, in 2022 it looks like significant pressure from multiple accounts was used against the then maintainer and creator to hand over the project.

To me it looks like a lot of work went into this over an extended period, and it all got rumbled due to one person being bored and looking into performance.

Raven667

@GossiTheDog @emberquill I am just learning about this same as every one else, but these kinds of attacks seem to be high effort, high risk since its public with a good audit trail and all it takes is one curious soul to say "hmm that's weird" to blow the whole thing up. I don't know if there are other better hidden ops out there, but the ones that are confirmed seem to get detected within days and weeks, rarely months and years, or at least that's the layman's impression I have. Is it worth it?

EmberQuill :v_gf:

@raven667 @GossiTheDog Debian-unstable was vulnerable for a whole month, and the only reason why this exploit was noticed at all was because one person thought their ssh authentication was too slow and started investigating.

It could have easily remained unnoticed for another month or two.

Mathaetaes

@GossiTheDog @emberquill @leeloo @sjuvonen @wdormann once again, some weird nerd’s obsession saves the day.

Weird nerds are the heroes we need, but definitely don’t deserve.

Tony Hoyle

@emberquill @leeloo @sjuvonen @GossiTheDog @wdormann The question that occurs is why does compatibility with systemd-notify require any more than a write to a well known pipe? xz should not be in the picture here. *especially* with something as critical as ssh.

Binary Large Octopus

@GossiTheDog @wdormann Several linux distros have already investigated how they're impacted by this (thanks @mgorny and @VoidLinux). Any takes on this from @almalinux and @alpinelinux?

alys

@GossiTheDog Debian Sid's and testing's liblzma has the backdoor, although it looks like it was reverted already. I don't think any official releases of Debian or Ubuntu had the compromised packaging. metadata.ftp-master.debian.org

Go Up