CISA advisory: Reported Supply Chain Compromise Affecting...

All posts Kevin's posts Post Back to profile

CISA advisory: Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

Like 29 March at 21:10 | Open on cyberplace.social

15 comments

Kevin Beaumont

The person/account on XZ repo also altered the security disclosure policy on that and other repos they author in months prior.

29 March at 21:20 | Open on cyberplace.social

David Penfold :verified:

@GossiTheDog Other repos? 🤔😳

29 March at 21:24 | Open on infosec.exchange

jbaggs

@GossiTheDog That's interesting. So basically removed all of the requests for specific information, and left reporting as: "send us an email or something"?

29 March at 21:31 | Open on infosec.exchange

Kevin Beaumont

@jbaggs yeah. So they changed one to “If you discover a security vulnerability in this project please report it privately. Do not disclose it as a public issue.” as an example. Looks like a long game attack.

29 March at 21:34 | Open on cyberplace.social

jbaggs

@GossiTheDog I had just looked at the one on xz. That's definitely worse.

29 March at 21:36 | Open on infosec.exchange

fuomag9

@GossiTheDog @jbaggs bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417 this is also interesting, they signed up yesterday on ubuntu

29 March at 22:49 | Open on lime.fuo.fi

jaark

@GossiTheDog

How long before the numpties begin combining this with their Baltimore bridge cyber conspiracy theories?

29 March at 21:34 | Open on infosec.exchange

Ben Aveling

@GossiTheDog @jaark please don’t give them ideas.

29 March at 21:48 | Open on infosec.exchange

Kevin Beaumont

Interesting find by @fuomag9 - the XZ repo person tried getting Ubuntu to update yesterday by filing a bug report https://bugs.launchpad.net/bugs/2059417

29 March at 22:59 | Open on cyberplace.social

fuomag9

@GossiTheDog

This may be even worse... #xz #supplychain #cybersec

learn.microsoft.com/en-US/cpp/overview/whats-new-cpp-docs?view=msvc-170#community-contributors

29 March at 23:08 | Open on lime.fuo.fi

Kevin Beaumont

The Twilight zone time - a bug from 2015 comes back around in XZ incident, it appears https://github.com/google/sanitizers/issues/342

29 March at 23:27 | Open on cyberplace.social

uoxc

@GossiTheDog wait, are we at "implementing features to get plausible deniability for evading vuln scanning?"

Because if so this feels quite novel. At the very least I can't remember a comparable supply chain attack of this sophistication from the top of my head

29 March at 23:43 | Open on infosec.exchange

Tony Hoyle

@uoxc @GossiTheDog Doesn't need to be that sophisticated..

Either (a) developer continues submitting other work whilst compromising at least one project. or (b) the account is in use by two people - the real developer and a hacker.

So the question becomes compromised account or compromised developer.

In the first case it's not that unbelievable that someone who was up to no good would try to cover their tracks by doing other unrelated things.

29 March at 23:57 | Open on toot.hoyle.me.uk

Bill

@GossiTheDog @fuomag9 @gabrlelle says "THIS IS WHY I HAVE TRUST ISSUES."

30 March at 0:08 | Open on infosec.exchange

🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈 :verified:

@GossiTheDog @fuomag9 Interesting that Debian and other distros already knew about the issue (on embargo) and were already reverting, but Ubuntu didn’t seem to know about it yet from these comments

Also, reading these comments apparently 5.6.0 was already on ubuntu?

30 March at 1:27 | Open on tech.lgbt