Email or username:

Password:

Forgot your password?
Kevin's posts Post Back to profile
Top-level
EmberQuill :v_gf:

@leeloo @sjuvonen @GossiTheDog @wdormann

(obligatory "I'm not an expert, but...")

The patch to OpenSSH makes it work with systemd-notify, which comes from a trusted source, which relies on lzma, also from a trusted source, which is used as a vector to load the backdoor from xz (also from a supposedly-trusted-until-now source) into sshd.

The same or similar patch is applied to OpenSSH in most systemd-based distros. It was noticed on Debian but affects pretty much any distro using deb or rpm packages. Other distros patch OpenSSH but the exploit only triggers on deb/rpm distros since most servers use one of the two package formats.

This is a long con, and honestly the only people at fault are the bad actors themselves. Assuming Jia Tan's GitHub identity and pgp key weren't compromised by someone else, this backdoor appears to be the culmination of three years of work.

30 March at 0:06 | Wall-to-wall | Open on tech.lgbt
5 comments
Kevin Beaumont

@emberquill @leeloo @sjuvonen @wdormann yep, good take I think based on what we know so far, disclaimer that I am an idiot

In mid 2023 the presumed attacker got OSS Fuzzer to decrease detection on XZ, in 2022 it looks like significant pressure from multiple accounts was used against the then maintainer and creator to hand over the project.

To me it looks like a lot of work went into this over an extended period, and it all got rumbled due to one person being bored and looking into performance.

30 March at 0:14 | Open on cyberplace.social
Raven667

@GossiTheDog @emberquill I am just learning about this same as every one else, but these kinds of attacks seem to be high effort, high risk since its public with a good audit trail and all it takes is one curious soul to say "hmm that's weird" to blow the whole thing up. I don't know if there are other better hidden ops out there, but the ones that are confirmed seem to get detected within days and weeks, rarely months and years, or at least that's the layman's impression I have. Is it worth it?

30 March at 0:32 | Open on hachyderm.io
EmberQuill :v_gf:

@raven667 @GossiTheDog Debian-unstable was vulnerable for a whole month, and the only reason why this exploit was noticed at all was because one person thought their ssh authentication was too slow and started investigating.

It could have easily remained unnoticed for another month or two.

30 March at 0:47 | Open on tech.lgbt
Mathaetaes

@GossiTheDog @emberquill @leeloo @sjuvonen @wdormann once again, some weird nerd’s obsession saves the day.

Weird nerds are the heroes we need, but definitely don’t deserve.

30 March at 1:26 | Open on infosec.exchange
Tony Hoyle

@emberquill @leeloo @sjuvonen @GossiTheDog @wdormann The question that occurs is why does compatibility with systemd-notify require any more than a write to a well known pipe? xz should not be in the picture here. *especially* with something as critical as ssh.

30 March at 0:17 | Open on toot.hoyle.me.uk
Go Up