{"id":33645,"date":"2024-03-30T10:47:44","date_gmt":"2024-03-30T09:47:44","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=33645"},"modified":"2024-03-30T10:47:44","modified_gmt":"2024-03-30T09:47:44","slug":"linux-backdoor-in-upstream-xz-liblzma-compromise-of-ssh-servers","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/03\/30\/linux-backdoor-in-upstream-xz-liblzma-compromise-of-ssh-servers\/","title":{"rendered":"Linux: Backdoor in upstream xz\/liblzma; compromise of SSH servers"},"content":{"rendered":"

\"Sicherheit[German<\/a>]As of Friday, March 29, 2024, Red Hat has published a warning. The latest versions of the \"xz\" tools and libraries contain malicious code, a backdoor, which is apparently intended to allow unauthorized access. Affected by the backdoor (vulnerability CVE-2024-3094) are versions 5.6.0 and 5.6.1 of the libraries. Affects various Linux users and also affects Open SSH.<\/p>\n

<\/p>\n

Accidental discovery<\/h2>\n

\"\"A German blog reader pointed out the OpenWall post backdoor in upstream xz\/liblzma leading to ssh server compromise<\/a>\u00a0 (thanks for that). Microsoft developer Andres Freund has noticed some strange symptoms around liblzma (part of the xz package) under Debian sid installations in the last weeks. His logins with ssh required a lot of CPU power, there were valgrind<\/em> errors etc.).<\/p>\n

He then looked into the matter and found a reason for this: The upstream xz repository (also used by sssh) and the xz tarballs were backdoored. At first he suspected that the Debian package had been compromised, but discovered that the backdoor is contained in the upstream package. The discoverer describes some details in his post.<\/p>\n

Since then, the Linux world has been in an uproar, as it affects various products (tarballs, ssh) in various Linux distributions. Someone on X has already sent me the information<\/a> that GitHub has suspended the XZ repository after the disclosure of the backdoor – but notes that the GitHub platform has been \"nothing but garbage\" since the takeover by Microsoft.<\/p>\n

German blog reader Norddeutsch has summarized it in the discussion section of the blog. \"XZ backdoor makes further waves. For Backdoor, manipulation of Google's oss-fuzzing via fake request was attempted to prevent detection. HackerNews discusses, further reviews exist. A good analysis of the issue can be found on GitHub<\/a>, the manipulation via oss-fuzz can be found on Github\/Google<\/a>. There is a thread about it<\/a> on HackerNews.<\/p>\n

Warning from Red Hat<\/h2>\n

Friday, March 29 2024, Red Hat issued a warning<\/a> that the latest versions of the \"xz\" tools and libraries contain malicious code, a backdoor that appears to be designed to allow unauthorized access. It states:<\/p>\n

Malicious code has been discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a pre-built object file from a disguised test file in the source code, which is then used to modify certain functions in the liblzma code. The result is a modified liblzma library that can be used by any software that is linked against this library and that intercepts and modifies the data interaction with this library.<\/p><\/blockquote>\n

Affected by the backdoor (CVE-2024-3094<\/a>, CVSS ccore 10.0) are versions 5.6.0 and 5.6.1 of the libraries. Red Hat states that current investigations show that the packages are only present in Fedora 41 and Fedora Rawhide within the Red Hat Community ecosystem. No versions of Red Hat Enterprise Linux (RHEL) are affected, Redhad states. The Register writes here<\/a> that certain Fedora 40 systems may also have received the update.<\/p>\n

In any case, the use of Fedora Rawhide instances should be discontinued immediately. Other Linux distributions are also likely to be affected by these xz tools and libraries.<\/p>\n

It seems, however, that in many cases it went well again – presumably only \"unstable\" distributions were affected. The Internet Storm Center writes in this tweet<\/a>:<\/p>\n

A quick note about xz-utils backdoor:
\n1 – luckily, this was caught early.
\n2 – most run xz-utils 5.2\/5.4. 5.6 is bad.
\n3 – quick check: `xz -V`
\n4 – Thanks to people who paid attention<\/p><\/blockquote>\n

So the backdoor was discovered before it was in widespread use. Fedora Rawhide \/ Fedora Linux 40 \/ openSUSE Tumbleweed may be affected. You can test it with the command mentioned above under 3, which displays the version.<\/p>\n

The discussions in this thread<\/a> shed some more light on how the backdoor could get into the code. The colleagues from Bleeping Computer have also compiled some information on this here.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]As of Friday, March 29, 2024, Red Hat has published a warning. The latest versions of the \"xz\" tools and libraries contain malicious code, a backdoor, which is apparently intended to allow unauthorized access. Affected by the backdoor (vulnerability CVE-2024-3094) … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,921,580,1547],"tags":[637,69,1544],"class_list":["post-33645","post","type-post","status-publish","format-standard","hentry","category-issue","category-linux","category-security","category-software","tag-linux","tag-security","tag-software"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33645","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=33645"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33645\/revisions"}],"predecessor-version":[{"id":33646,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33645\/revisions\/33646"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=33645"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=33645"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=33645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}