[kwlug-disc] Fw: Backdoor found in widely used Linux utility

Mikalai Birukou mb at 3nsoft.com
Sat Mar 30 09:50:20 EDT 2024 

>> see his git repo here --
>> https://github.com/JiaT75
>>
>> [<https://github.com/JiaT75>](https://github.com/JiaT75)
>> Sheesh, a long-time trusted dev succumbing to the dark side?
>
> Not really, he(?) seems to have ingratiated himself with the beleaguered
> maintainer of xz, perhaps with a couple of sock puppets (people with
> Scandanavian and Indian(?) names).
>
> After some seemingly innocuous commits, one sock puppet pushed for a new
> maintainer to xz, which JiaT75 became, then another sock puppet pushed
> the Debian maintainers to incorporate these great new xz features into
> their repos. Then disappeared.
>
> This backdoor was only caught because someone happened to be testing
> performance on his machine, and he noticed failed ssh connections were
> taking too long (a mere ½ second).
>
> Some profiling indicated a lot of that time was spent in lzma, so he
> poked around some more and ...
>
> That guy saved the world from another HeartBleed + an OSS SolarWinds
> supply chain attack that would've compromised sshd on almost all Linux
> systems worldwide.
>
> Holy shit, we dodged a bullet there.
>
> This was an extremely crafty attack that seems to have been building
> over the course of a couple of years.

Description from https://security-tracker.debian.org/tracker/CVE-2024-3094 :

"""

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

"""

... <complex> build process extracts a prebuilt object file from a disguised test file ...

Hiding behind complexity within CI/CD. Hence, impenetrable complexity that need to run only in one place, and is already running, is still a technical debt that should be cleared up, at least for security reason.

> This did not require users to have xz invoked, nor even installed. The
> Linux kernel uses it for squashfs.
>
> Debian and Fedora at least began the process to incorporate this.
>
> The brew package manager for Macs actually did push it out, then rolled
> it back.
>
> Kali Linux was distributing infected ISOs for a few days.
>
> Major malware attack averted - barely.
>
> rb

Thank you for this overview.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20240330/97853e3e/attachment-0001.htm>

More information about the kwlug-disc mailing list