93

My mastodon feed is full of IT security specialist talking about the xz affair where someone let a backdoor in some library.

But beside showing the two side of Free/Libre software (anybody can add a backdoor, and anybody can spot it), I have no idea how it impacts the average person. Is it a common library or something used only by specific application ? Would my home-grade router protects me ?

top 37 comments
sorted by: hot top controversial new old
[-] sneakyninjapants@sh.itjust.works 49 points 7 months ago* (last edited 7 months ago)

How does the xz incident impacts the average user ?

It doesn't.

Average person:

  • not running Debian sid, Fedora nightly, ~~Arch~~, OpenSUSE Tumbleweed, or tbh any flavour of Linux. (Arch reportedly unafffected)
  • ssh service not exposed publicly

The malicious code was discovered within ~~a day or two~~ a month of upload iirc and presumably very few people were affected by this. There's more to it but it's technical and not directly relevant to your question.

For the average person it has no practical impact. For those involved with or interested in software supply chain security, it's a big deal.

Edit:
Corrections:

  • OpenSUSE Tumbleweed was affected; Arch received malicious package but due to how it is implemented did not result in compromised SSH service.
  • Affected package was out in the wild for about a month, suggesting many more affected systems before malicious package was discovered and rolled back.
[-] earmuff@lemmy.dbzer0.com 5 points 7 months ago

Not just a day, a full month the backdoor was available. On the Arch Repo, v5.6.0 was uploaded on February 24th. Will be similar to other repos.

[-] SteveTech@programming.dev 2 points 7 months ago

I believe 5.6.0 was in Debian testing for almost a month too.

[-] sneakyninjapants@sh.itjust.works 1 points 7 months ago

Thanks for the correction. A full month is much more problematic.

[-] Cryophilia@lemmy.world 4 points 7 months ago

I don't even understand what anyone in this thread is saying.

That's not an invitation, please don't explain Linux to me.

I'm just saying this means nothing for average people.

[-] hperrin@lemmy.world 8 points 7 months ago* (last edited 7 months ago)

It could have meant a lot to the average person if it wasn’t caught. If this was some adversary, they could have used it to cripple critical infrastructure in the largest cyber attack in history.

Luckily it was caught before this software was rolled out to really anything that should be in prod.

[-] maxprime@lemmy.ml 2 points 7 months ago

Can I explain GUN/Linux to you?

[-] leave_it_blank@lemmy.world 3 points 7 months ago

Isn't that this Windows imitation I sometimes hear about?

(I have a death wish I guess)

But on a serious side: I need an easy to use Linux system next year for my parents who are not very tech savvy. Do you have a recommendation for easy use that feels like Windows? It will only be used for browsing, open office and stuff.

[-] SendMePhotos@lemmy.world 2 points 7 months ago

You can to me. I don't know what gnu is but I know that Linux is a penguin branch of os

[-] Cryophilia@lemmy.world 1 points 7 months ago
[-] qaz@lemmy.world 3 points 7 months ago

You forgot about OpenSUSE Tumbleweed, it also shipped the infected package. I had to update to a newer non-infected version of xz.

[-] sneakyninjapants@sh.itjust.works 2 points 7 months ago

Thanks, SUSE completely slipped my mind

[-] Hawk@lemmynsfw.com 1 points 7 months ago

What about vpn behind WireGuard/OpenVPV?

I would presume no?

[-] neatchee@lemmy.world 22 points 7 months ago

Quick summary:

  • only impacts Debian and Linux distributions that utilize RPM for packages
  • only impacts cases where liblzma is compiled from a tarball, rather than cloned source repository or precompiled binary
  • only impacts x64 architecture
  • introduced in liblzma 5.6.0 which was released in late February so only impacts installs receiving updates to liblzma since then

liblzma is a library for the lzma compression format. Loosely, this means it's used by various other pieces of software that need this type of compression, rather than being an application itself.

It is very widely used. It comes installed on most major Linux distributions and is used by software like openssh, one of the standard remote connection packages.

However, since it was only in the tarball, you wouldn't see it widely until debian, fedora, et al release a new version that includes the latest liblzma updates. This version hadn't been added to any of the stable release channels yet, so the typical user wouldn't have gotten it yet.

I believe this would have gone out in debian 12.6 next week, and the attacker was actively petitioning fedora maintainers to get it added to fedora 40 & 41

The interesting thing about this situation was how much effort the attacker put in to gain trust just to get to the point where they could do this, and how targeted the vulnerability seems to have been. They tried very hard to reduce the likelihood of being caught by only hitting a limited set of configurations

[-] Jimmycrackcrack@lemmy.ml 1 points 7 months ago

I'm still confused exactly what the circumstances would be where this worked as the attacker intended. Would simply having the infected liblzma version on the system create the vulnerability or does something have to happen to invoke it and then what? What's he chain of events that would have happened had this worked perfectly and gone undetected? I tried to read some of the more detailed analysis but the stuff went way over my head.

Also, what about Mac OS? Can the package create any vulnerability there if installed via homebrew as it's reported to have done in some cases? Or is that environment also not right for it to work?

[-] neatchee@lemmy.world 3 points 7 months ago* (last edited 7 months ago)

Here's how it was intended to work:

  • debian, fedora, or another RPM-based distribution updates references to liblzma to 5.6.x in their latest release
  • the package repository is updated (usually through automation) by getting the infected tarball and compiling it into an RPM or DEB which is added to the repo
  • if the package is built using glibc and the gnu linker, and for a system that uses systemd, the exploit is enabled during compilation of the x86-64 version of the package; otherwise the result is normal
  • when an application is installed that depends on liblzma, possibly during OS installation itself, the infected RPM/DEB package from the package repository is downloaded and installed (assuming the system matches the requirements above)
  • in this particular case, OpenSSH was the primary target; if the attacker wanted to, it could have targeted any web-facing service that uses liblzma such as OpenSSL + Apache/nginx, etc
  • when the OpenSSH server is started on an infected system, it loads the infected liblzma binary
  • the attacker starts an SSH connection to the infected server, having already known about the server or by scanning the internet for visible ssh servers
  • during creation of the SSH connection, the user has the option of trying to sign in using an RSA key. The attacker uses a specially formed RSA key only available to the attacker that also contains a chunk of code (the "payload") that they want executed on the server
  • liblzma is utilized to compress data in transit; when the infected liblzma decompresses the RSA key on the server, the exploit recognizes the attacker's special RSA key and executes the payload on the host system. Otherwise, the ssh session continues as normal

This would not impact MacOS because you couldnt install the infected package, since it is only ever built for debian or RPM-based systems running systemd, using glibc and the gnu linker, and for x86-64. Unless I'm misunderstanding something, there is no way to get the compiled binaries that are infected to work on a MacOS system

Additionally, I should note that I'm not exactly an expert on this stuff; I'm just in the security space and have been reading about this as it happens, so it's possible there are errors in my understanding. But that should at least give you the gist of the attack

[-] NeatNit@discuss.tchncs.de 1 points 7 months ago

Thank you! I believe this is what the OP was asking, and it's definitely what I wanted to know :)

Do we know what the payload is?

[-] neatchee@lemmy.world 1 points 7 months ago* (last edited 7 months ago)

Arbitrary. It could be whatever they wanted at any time. This was a full on remote code execution (RCE) exploit. And baking it into an RSA key is pretty novel

And you're welcome :)

[-] lordnikon@lemmy.world 18 points 7 months ago

only someone running arch or debian sid or an bleeding edge rolling release on an internet exposed ssh port. the idea of that configuration would sound ludicrous. even so we should be building off git repos not tar balls.

the weird part this situation has made me feel safer. the amount of work that went into social engineering this and it only lasted a month tops for people that run distros that would just not be or should not be used as an exposed server ever.

it shows open source works. This is more embarrassing than anything and we deserve it. We need to pay core library devs and have a mechanism that core libraries can be handed off to a trusted org.while another upstream maintainer can be found or the project shut down and other projects move away from the un maintained project. When the person maintaining the project gets burned out or has other issues.

[-] Glitchington@lemmy.world 10 points 7 months ago

From the archlinux.org news post on the issue.

Arch does not directly link openssh to liblzma, and thus this attack vector is not possible.

[-] lordnikon@lemmy.world 2 points 7 months ago

oh 100% i was just taking in general of upstream bleeding edge distro being vulnerable to this kind of upstream attack not specific to xz

[-] vrighter@discuss.tchncs.de 2 points 7 months ago

why does everyone keep mentioning arch?

[-] sploosh@lemmy.world 4 points 7 months ago

Because Arch was one of the distros that distributed the backdoored xz package, though they claim no vulnerability to due to their implementation.

[-] vrighter@discuss.tchncs.de 1 points 7 months ago

so.... they didn't distribute the backdoored package did they?

[-] Deestan@lemmy.world 17 points 7 months ago

For exploits like this, most of the risk is in services you use. Websites, power company customer database, etc. are at risk of customer data dumps leaking.

Be extra alert for targeted scams and phishing, i.e. Phil from HBO Max customer department calling and asking to correct your payment details and he sounds very convincing because he knows your username, viewing history, etc.

And be extra fast with installing any security updates on all your stuff.

[-] slazer2au@lemmy.world 15 points 7 months ago

The average user? Likely doesn't. the package is for Linux, so that removes any windows users.

The version was only on "bleeding edge" releases, so if you are on a lts release you will likely be ok.

[-] abbadon420@lemm.ee 4 points 7 months ago
[-] hemko@lemmy.dbzer0.com 7 points 7 months ago* (last edited 7 months ago)

16.04 is LTS. 16.10 hasn't been updated or supported for 6 years

[-] person@lemm.ee 6 points 7 months ago

So it's safe! No new malware in there!

[-] hemko@lemmy.dbzer0.com 3 points 7 months ago

Also no advertising in apt output!

[-] homura1650@lemm.ee 8 points 7 months ago

I'm one of those security specialists (although not on mastodon). To be clear, if a vulnerable version of libxz were included in a distribution that we actually use; this would be an all hands on deck, drop everything until it is fixed emergency.

Having said that, for an average user, it probably doesn't matter. First, many users just don't have the vulnerable version installed. All things considered, it was found very quickly; so only rolling release distros would have it. Additionally, it appears that only .deb or .rpm based distributions would have it. Not because they are particularly vulnerable, the attack explicitly tests for it.

However, lets set all of this asside and assume a typical use is running a vulnerable system. In my assessment, the risk to them is still quite low. With most vulnerabilities, the hard part is discovering it. Once that happens, the barrier to exploiting it is relatively low, so you get a bunch of unrelated hackers trying to exploit any system they can find. This case is different; exploiting it requires the attackers private key. Even though the attack is now widely known, there is still only 1 organization capable of using it.

Further, this attack was sophisticated. I'm not going to go as far as others in saying that only a state actor could do it. However, it is hard to think of anyone other than a state actor who would do it. Maybe a group of college kids doing it for the ~~lolz~~ research? But, if the motivation us lolz, I don't see them pivoting to do anything damaging with it. And even if they wanted to, there would still only be a handful of them. In short, this is one of those cases where obscurity works. Whoever did this attack does not know or care about Joe the Linux user; and they were probably never going to risk burning it by exploiting it on a large scale.

However, setting all of that asside, suppose you were using vulnerable software, and someone with the private key is interested in your home system. First, you would need to be running OpenSSH on a remotely accessible interface. [0]. Second, you would need your firewall to allow remote SSH traffic. Third, you would need your router to have port forwarding enabled; and explicitly configured to forward traffic to your OpenSSH server [1].

If all of that happens; then yes, you would be at risk.

[0] Even though the attack itself is in the libxz library, it appears to specifically target OpenSSH.

[1] Or, the attacker would need some other mechanism to get on the same network as you.

[-] Treczoks@lemmy.world 3 points 7 months ago

I don't even have xz installed on my machine. Could anyone clue me in for what it is normally used?

[-] person@lemm.ee 7 points 7 months ago* (last edited 7 months ago)

It's a library/tool for a specific type of compression. You may have seen .tar.xz files.

this post was submitted on 31 Mar 2024
93 points (97.9% liked)

No Stupid Questions

35764 readers
525 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS