Email or username:

Password:

Forgot your password?
Top-level
Kevin Beaumont

Worryingly it looks like the backdoor comes via one of the two main devs and dates back over a month from their GitHub account, with legit commits too - XZ is used in systemd so this one might play out for a while.

34 comments
Ed Maste

@GossiTheDog We're incredibly lucky that it wasn't more sophisticated, or it may have gone unnoticed for a long time.

Alex Haydock

@emaste @GossiTheDog Pretty wild that the implication is that this particular backdoor was only caught because it was coded badly enough to have a significant performance impact. What if itโ€™d been better written, I wonder?

Kevin Beaumont

@alexhaydock @emaste long lasting backdoor, wouldnโ€™t be the first time

Kevin Beaumont

I suspect distros probably want to roll XZ back to around January 2024, stop bundling updates until the developer is removed in GitHub or a logical explanation can be given, and somebody needs to fund a code review of it.

Kevin Beaumont

Here we go: bleepingcomputer.com/news/secu

As I said, the impact here will be very limited due to how quick it was caught. Everybody owes the finder a beer.

Tryst

@GossiTheDog I'm sure the FBI will thank him in their traditional fashion for cyber security saviours

Dan McDonald

@GossiTheDog indeed we do.

This exploit was carefully aimed at Linux using systemd launched SSH. We non Linux folks can breathe a hair easier but who knows what else is going on. Don't panic but definitely be cautious.

Toasterson

@GossiTheDog That specific dev contributed to wasmtime etc too. So more projects need audits.

Kevin Beaumont

Postgre developer @AndresFreundTec saving Linux security from backdoors as a side of desk activity

NosirrahSec ๐Ÿดโ€โ˜ ๏ธ

@GossiTheDog @AndresFreundTec

"Oops, I just stopped a massive operation that could have brought down everything under the sun, accidentally." *flexes*

Kevin Beaumont

The person/account on XZ repo also altered the security disclosure policy on that and other repos they author in months prior.

jbaggs

@GossiTheDog That's interesting. So basically removed all of the requests for specific information, and left reporting as: "send us an email or something"?

Kevin Beaumont

@jbaggs yeah. So they changed one to โ€œIf you discover a security vulnerability in this project please report it privately. Do not disclose it as a public issue.โ€ as an example. Looks like a long game attack.

jbaggs

@GossiTheDog I had just looked at the one on xz. That's definitely worse.

jaark

@GossiTheDog

How long before the numpties begin combining this with their Baltimore bridge cyber conspiracy theories?

Kevin Beaumont

Interesting find by @fuomag9 - the XZ repo person tried getting Ubuntu to update yesterday by filing a bug report bugs.launchpad.net/bugs/205941

Kevin Beaumont

The Twilight zone time - a bug from 2015 comes back around in XZ incident, it appears github.com/google/sanitizers/i

uoxc

@GossiTheDog wait, are we at "implementing features to get plausible deniability for evading vuln scanning?"

Because if so this feels quite novel. At the very least I can't remember a comparable supply chain attack of this sophistication from the top of my head

Tony Hoyle

@uoxc @GossiTheDog Doesn't need to be that sophisticated..

Either (a) developer continues submitting other work whilst compromising at least one project. or (b) the account is in use by two people - the real developer and a hacker.

So the question becomes compromised account or compromised developer.

In the first case it's not that unbelievable that someone who was up to no good would try to cover their tracks by doing other unrelated things.

Bill

@GossiTheDog @fuomag9 @gabrlelle says "THIS IS WHY I HAVE TRUST ISSUES."

๐Ÿณ๏ธโ€๐ŸŒˆ๐ŸŽƒ๐Ÿ‡ง๐Ÿ‡ทLuana๐Ÿ‡ง๐Ÿ‡ท๐ŸŽƒ๐Ÿณ๏ธโ€๐ŸŒˆ :verified:

@GossiTheDog @fuomag9 Interesting that Debian and other distros already knew about the issue (on embargo) and were already reverting, but Ubuntu didnโ€™t seem to know about it yet from these comments

Also, reading these comments apparently 5.6.0 was already on ubuntu?

Adam :lsio:

@GossiTheDog either that or whatever build infra they're using for the release tarballs has been compromised.

Samantaz Fox

@spad @GossiTheDog No, because one part of the backdoor lies in the version controlled code. Only the trigger is missing from git and present in the tarballs.

โ  โ ต avuko

@SamantazFox @spad @GossiTheDog could be, but Iโ€™m not certain. I havenโ€™t dug into this besides some quick reading, but something feels odd to me about the nature of the attack. It is almost like someone took benign code and used it like โ€œgadgetsโ€. Caveat: Just a hunch at this time.

Samantaz Fox

@GossiTheDog That's my concern as well. It's super easy to contribute code and make a good impression, leading to the core maintainers trusting you, and in turn getting enrolled in the core team because everyone is tired. I wonder how many other projects have bad actors in their core team.

Addison

@GossiTheDog@cyberplace.social Even wilder, the original developer may have been a target of a pressure campaign to get them to pass maintenance on to the second individual: https://mastodon.social/@vegard/112181070803627404

Go Up