The upstream xz repository and the xz tarballs have been backdoored

pebcak · April 1, 2024, 2:01pm

Just finished the upgrade. 2098 packages! Reboot. System came back up without hiccups.

Hats off to openSUSE!

keybreak · April 1, 2024, 4:04pm

gist.github.com

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5008221#gistcomment-5008221

xz-backdoor.md

# FAQ on the xz-utils backdoor (CVE-2024-3094)

This is still a new situation. There is a lot we don't know. We don't
know if there are more possible exploit paths. We only know about this
one path. Please update your systems regardless.

This is a living document. Everything in this document is made in good
faith of being accurate, but like I just said; we don't yet know everything
about what's going on.

This file has been truncated. show original

honka_memes-128px-39

pebcak · April 1, 2024, 9:28pm

core-testing/xz 5.6.1-2 5.6.1-3 0.00 MiB 0.64 MiB

joekamprad · April 1, 2024, 10:18pm

drunkenvicar · April 1, 2024, 10:21pm

your link had about two dozen more links and I read almost all of them. The banter thread also amusing:)
the “what is payload?” remains ominous:
" * The payload is loaded into sshd indirectly. sshd is often patched to support systemd-notify so that other services can start when sshd is running. liblzma is loaded because it’s depended on by other parts of libsystemd. This is not the fault of systemd, this is more unfortunate. The patch that most distributions use is available here: openssh/openssh-portable#375.

Filippo Valsorda has shared analysis indicating that the attacker must supply a key which is verified by the payload and then attacker input is passed to system(), giving remote code execution (RCE)…

……We don’t know what the payload is intended to do. We are investigating."

emphasis mine. sounds like the crime of the century already; at least in the linux world.

fbodymechanic · April 2, 2024, 1:38am

My greatest though/worry is that this is just something they wanted us to find. Like a magician, we spend a lot of time watching the hand doing something, analyzing it, focused, and the other hand is where the nefarious things are happening.

If this is a state-sponsored attack or a group, I am very nervous about the things we aren’t looking at currently/yet. What if this is the decoy hand at play?

I’m very proud of a lot of folks who are working very dilligently at scanning/reading/combing through code for the rest of us. Thank you fordoing something I don’t know how to do. Please don’t forget to look away from where everyone else is during this. Good luck Linux at large.

Kresimir · April 2, 2024, 5:27am

Finally, Kenny made a video about it:

mayhem · April 2, 2024, 6:46am

JIA CHEONG TAN
CIA JHEONG TAN
CIA JHON EGTAN
CIA JOHN AGENT
CIA AGENT JOHN
Case closed

someone in the github discussion solved it already. wrap it up folks we’re done here

jrgn9 · April 2, 2024, 7:16am

When checking pacman/yay it says that I have installed xz 5.6.1-2. The same when running pacman/yay -Qi xz. I have also pruned all older versions. However, when running xz -V it says

xz (XZ Utils) 5.6.1
liblzma 5.6.1

Is there something I am missing here?

Kresimir · April 2, 2024, 7:18am

Yes. The version number reported by pacman -Qi xz consists of two parts, the upstream version and the version of the build in the Arch repos, separated with the dash. The number after the dash is a version of the package build added by the Arch maintainers. It’s not part of the upstream version of the software. There was no upstream update to xz, the package was merely rebuilt for the repos.

jrgn9 · April 2, 2024, 7:24am

Probably stupid question, but does that mean that I am running 5.6.2 then?

Kresimir · April 2, 2024, 7:26am

No, it means you’re running 5.6.1, which is the latest upstream version. And the package version is 5.6.1-2, which is the latest version in the stable repos, 5.6.1-3 is in testing. You’re up to date.

There is no 5.6.2.

emk2203 · April 2, 2024, 9:10am

This might go beyond a mere joke. Similar to easter eggs programmers hide in their work.

pzs · April 2, 2024, 3:39pm

The credit goes to Andres Freund, who effectively discovered this vulnerability by accident - to my understanding, he noticed that sshd was consuming an unusually high amount of CPU resources; upon profiling his system, he stumbled upon this vulnerability. We’re very lucky that this vulnerability was caught at all, because it was implemented via a very sophisticated process with many steps and adjuncts over a fairly long period of time (parts of 3 years).

The details are many and complicated, but it boils down to this (I did a lot of reading on this and forgot some things, so I cannot guarantee that all the details are correct):

• The original developer of xz is Lasse Collin, who has worked on this since 2005 (or so) - it is highly unlikely that he was knowingly complicit in implementing this vulnerability. Nevertheless, his GitHub account was suspended.

• Jia Tan (if that’s their real name) - the perpetrator - joined xz development in 2021; Collin admitted to being overworked and having mental health issues being the lone maintainer of xz; this was the kind of situation that Tan would find easy to exploit. (His GitHub account was obviously suspended.) The latest version of xz that was untouched by Tan is 5.3.2 (branched from 5.2.5).

• Tan made commits to other repos and went out of their way to establish a pattern of behavior, to obfuscate their true intentions. (To socially engineer trust within the Linux community, via credibility building.) IIRC, Tan also made commits to repos that xz depended on or is a dependent of, to ultimately make this vulnerability easier to carry out (i think oss-fuzz is one of them). In addition, Tan (most likely) made a bunch of sockpuppet accounts, and used them to pressure repo maintainers (including Collin, I think) into adopting his changes. (Effectively, astroturfing.) The first major red flag was regarding ifunc and a bug pertaining to that. For the most part, Tan designed the malicious code in such a way, that it would be difficult, if not impossible, to pick up on the malicious code via an audit.

• Tan stuck some of the malicious elements into the gitignore file or directory, which was ultimately implemented into the tarball for 5.6.0 and “bugfix” version 5.6.1.

• As far as I can discern, Tan’s most likely intention was to complete injection of all the required malicious code into xz in time for Ubuntu 24.04 LTS and Fedora 40 - which will both be widely adopted by Linux systems in the enterprise (RHEL and related ELS’s, in the case of Fedora) and development realms, and use the backdoor to penetrate/infect these systems via SSH. This would’ve obviously had (potentially) catastrophic consequences, given the widespread adoption within critical infrastructure. If left undiscovered, this could have became one of the worst cyberattack incidents in the history of IT.

• Teams of Debian developers are combing through all versions of xz affected or influenced in any way by Jia Tan, to see if any other vulnerabilities exist. Reverting to version 5.3.2 is not the most viable solution, due to breakages that can result with other packages.

Again, credit to Andres Freund for discovering and reporting on this vulnerability, and the auditors/investigators within the Linux community for taking all the appropriate actions here in discovery and to remedy this whole situation.

shuvashish76 · April 2, 2024, 4:17pm

FOSS + Popular project = Trust worthy & completely safe as anyone can review the code.
In reality very few people actually review them (even if they’re capable of doing it), everyone believes in “trust me bro I’m foss”. Reviewing every foss project you use isn’t possible anyway…
Unlike private companies you don’t need to reveal you identity to contribute code for foss projects which is nice & many people take advantage of it in a wrong way.
I wonder if that’s how Pegasus & similar spyware work for Zero-day-vulnerability. 1st create trust in various foss projects from anonymous identities by contributing it & then slowly control everything.

pebcak · April 2, 2024, 4:24pm

I do hope that you do understand that my “word play” was meant as “joke” referring to the somewhat compulsory, and if I were to judge rather infantile, behavior of some members of the Linux/FOSS community as a way to demonstrate their disapproval and perhaps contempt of Microsoft and its products.

In no way, was it my intention to diminish Mr. Andres Freund and his effort to whom we should all be grateful for catching “Ze Bug”

shuvashish76 · April 2, 2024, 4:30pm

backslashes ( \ ) for windowz

pzs · April 2, 2024, 6:13pm

I understand; while Micro$oft is (for a large part) an evil corporation (judging by their practices), that doesn’t say the same for most of their employees. I just wanted to give credit to the person who was most responsible for catching this vulnerability in time. I felt that Mr. Freund isn’t getting enough credit, though he did manage to find the vulnerability/“ze bug” somewhat by happenstance.

Also, I pit the names of people in the first instance of mention in bold, as you can probably tell - sort of my style. (I also do the same for certain specific things of importance.)

IDKnix · April 3, 2024, 4:37am

nah im on 5.6.1-3. and I assume many others to also be on that version. i dont use xz or sshd alot but its curious to see this happening like a weeks after i started using linux lol

keybreak · April 3, 2024, 7:57am

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5010026#gistcomment-5010026

We have dodged so many bullets along the way, it’s insane.