dChan
Anonymous ID: caa731 April 5, 2024, 11:12 p.m. No.20686297   🗄️.is 🔗kun

XZ Utils backdoor hack Caught=

You know those memes about how the backbone of the entire internet rests on some obscure piece of code maintained by some saintly volunteer somewhere? A few days ago on March 29, some news dropped that set the entire cybersecurity world on fire.

The obscure piece of code is called XZ utils, and the guy maintaining it had been doing it for free for the past 15 years. And when he was finally burning out and looking for people to help him take over the maintenance of that code, he became the victim of a two and a half year con to gain his trust and use it to install a backdoor, which would allow someone with the right key to break into every single linux server on the entire internet, period.

And it almost worked. But it was caught by a Microsoft engineer off the clock who noticed a 500ms delay, dug into it, and discovered the vulnerability.

 

We just came THIS close to having every single server on the internet get compromised.

Nobody panic, everything's fine. Nothing bad happened, no need to think about how it almost did 🔥🏠🔥

Sauce: https://en.wikipedia.org/wiki/XZ_Utils

On 29 March 2024, software developer Andres Freund announced that he had found a maliciously introduced backdoor in XZ Utils, impacting versions 5.6.0 and 5.6.1. Compressed test files had been added to the code for setting up the backdoor via additions to the configure script in the tar files. He started his investigation because sshd was using a high amount of CPU. The vulnerability received a Common Vulnerability Scoring System (CVSS) score of 10 (the highest).[11]

 

Sauce Origin:A backdoor in xz [Posted March 29, 2024 by corbet]

https://lwn.net/Articles/967180/

Andres Freund has posted a detailed investigation into a backdoor that was shipped with versions 5.6.0 and 5.6.1 of the xz compression utility. It appears that the malicious code may be aimed at allowing SSH authentication to be bypassed.

I have not yet analyzed precisely what is being checked for in the injected code, to allow unauthorized access. Since this is running in a pre-authentication context, it seems likely to allow some form of access or other form of remote code execution.

The affected versions are not yet widely shipped, but checking systems for the bad version would be a good idea.

 

Update: there are advisories out now from Arch, Debian, Red Hat, and openSUSE.

 

A further update from openSUSE:

 

For our openSUSE Tumbleweed users where SSH is exposed to the internet we recommend installing fresh, as it’s unknown if the backdoor has been exploited. Due to the sophisticated nature of the backdoor an on-system detection of a breach is likely not possible. Also rotation of any credentials that could have been fetched from the system is highly recommended.