this post was submitted on 29 Mar 2024
179 points (99.4% liked)

Free and Open Source Software

19171 readers
108 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
[email protected]
[email protected]
179
A backdoor in xz (current versions are impacted) (lwn.net)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
16 comments fedilink hide all child comments
 

TL;DR: Update immediately, especially if SSH is enabled. xz versions 5.6.0 & 5.6.1 are impacted. The article contains links to each distro's specific instructions of what to do.

https://news.opensuse.org/2024/03/29/xz-backdoor/

Current research indicates that the backdoor is active in the SSH Daemon, allowing malicious actors to access systems where SSH is exposed to the internet.

In summary, the conditions for exploitation seem to be:

  • xz version 5.6.0 or 5.6.1
  • SSH with a patch that causes xz to be loaded
  • SSH daemon enabled

Impact on distros

  • Arch Linux: Backdoor was present, but shouldn't be able to activate. Updating is still strongly recommended.

  • Debian: Testing, Unstable, and Experimental are affected (update to xz-utils version 5.6.1+really5.4.5-1). Stable is not affected.

  • Fedora: 41 is affected and should not be used. Fedora 40 may be affected (check the version of xz). Fedora 39 is not affected.

  • FreeBSD: Not affected.

  • Kali: Affected.

  • NixOS: NixOS unstable has the backdoor, but it should not be able to activate. NixOS stable is not affected.

  • OpenSUSE: Tumbleweed and MicroOS are affected. Update to liblzma5 version 5.6.1.revertto5.4. Leap is not affected.

CVE-2024-3094

top 16 comments
sorted by: hot top controversial new old
[–] [email protected] 25 points 1 year ago* (last edited 1 year ago) (1 children)

FYI: if you run freebsd you are not affected: https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

Took me a while to find out so I thought I’d share.

[–] [email protected] 5 points 1 year ago

Thanks, edited this into the post (along with the distros listed by LWN)

[–] [email protected] 14 points 1 year ago (1 children)

The story about this backdoor is really wild if it's true https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago)

That’s what all of the analysis is pointing to.

Since the analysis is not complete, the other thing people need to remember is that nobody knows if ssh was the only target or just the only one that was noticed. A ton of stuff uses lzma, including web browsers and password safes.

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (3 children)

Why ssh? Does ssh use xz?

[–] [email protected] 14 points 1 year ago

Ssh uses systemd and systemd uses lzma (xz)

[–] [email protected] 12 points 1 year ago

Not directly, but it's often integrated with systemd which does.

What may not be clear is the connection to SSH. And it’s a trip. Many Linux distros patch sshd to add systemd features, and libsystemd pulls the liblzma library. That means the liblzma initialization code gets run when sshd starts.

https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/

[–] outbound 4 points 1 year ago

Yes. ssh's RSA encryption uses liblzm.

[–] [email protected] 6 points 1 year ago (1 children)

This analysis has some technical information on how it injects itself, conditionally, into deb and rpm from src tar.

[–] [email protected] 3 points 1 year ago

Holy c... that's quite a writeup, and what a rat's nest of an exploit. A long time ago, I used to know some reverse engineering, then I got an eval $zrKcTy to the got.plt.

Wonder what it turns out to have been doing.

[–] [email protected] 6 points 1 year ago (1 children)

Im new to Linux does this include linux mint since it is based on Debian?

[–] [email protected] 11 points 1 year ago (2 children)

Likely not since most of these are dev or experimental of the latest version.

Check xz --version

If you're not on the two listed above you're fine.

[–] [email protected] 8 points 1 year ago

As far as I can tell running xz directly should be fine, but for the extra paranoid check the version of the xz-utils package. If it is safe, it will be either less than 5.6.0, or it should be 5.6.1+really5.4.5-1 (xz 5.4.5 with a spoof version number to ensure compromised systems get the update).

[–] [email protected] 3 points 1 year ago

awesome thanks I did (xz --version) to check and it is using an unaffected version.

[–] [email protected] 3 points 1 year ago

Void Linux is not affected too, they reversed to 5.4.X series the time this was published and it doesn't use systemd neither patch openssh to use liblzma. https://github.com/void-linux/void-packages/discussions/49614

[–] [email protected] 1 points 1 year ago

WSL2 2.1.5:

  • (system) CBL-Mariner / Azure Linux: xz-libs 5.2.5-1.cm2
  • Ubuntu 22.04.4 LTS: xz-utils 5.2.5-2ubuntu1
  • Kali (rolling): Same fix as for Debian Testing (update to xz-utils version 5.6.1+really5.4.5-1)