Author

Topic: PSA: xz/liblzma critical vulnerability (Read 203 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
March 31, 2024, 04:03:20 AM
#12
It's one of few times where i'm glad i choose conservative distro like Debian. It's also crazy it took months before it's detected.
Didn't Debian import it in their packages as Ubuntu?

I just checked my Debian device and it seems they include xz by default. But based on my experience, Debian usually is slower to upgrade their package compared with Ubuntu LTS.

Basically it contains a backdoor to completely bypass your SSH authentication. All signs point to it being planted by a malicious actor running the project. It is undetectable by sanitizers and fuzz testing tools.
I bet state actor? Maybe CIA or similar.
A rare case of an open-source project being compromised... imagine if this happens to a Bitcoin wallet.

I can see that could happen on unpopular wallet software or library used to sign transaction. Imagine if someone compromise signing library to create signed TX with specific k value range.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 30, 2024, 01:23:31 PM
#11
Update: Lasse Collin (original xz maintainer) has released a statement on his website:

This page is short for now but it will get updated as I learn more about the incident. Most likely it will be during the first week of April 2024.

The Git repositories of XZ projects are on git.tukaani.org.

xz.tukaani.org DNS name (CNAME) has been removed. The XZ projects currently don’t have a home page. This will be fixed in a few days.

Facts
-CVE-2024-3094

-XZ Utils 5.6.0 and 5.6.1 release tarballs contain a backdoor. These tarballs were created and signed by Jia Tan.

-Tarballs created by Jia Tan were signed by him. Any tarballs signed by me were created by me.

-GitHub accounts of both me (Larhzu) and Jia Tan are suspended.

-xz.tukaani.org (DNS CNAME) was hosted on GitHub pages and thus is down too. It might be moved to back to the main tukaani.org domain in the near future.

-Only I have had access to the main tukaani.org website, git.tukaani.org repositories, and related files. Jia Tan only had access to things hosted on GitHub, including xz.tukaani.org subdomain (and only that subdomain).

It looks like he was unaware of this happening and he's going to clean up this mess now including most likely talking to Github staff.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 30, 2024, 09:34:47 AM
#10
Quote
As of 9:00 PM UTC, GitHub has suspended JiaT75’s account. Thanks? They also banned the repository, meaning people can no longer audit the changes made to it without resorting to mirrors. Immensely helpful, GitHub. They also suspended Lasse Collin’s account, which is completely disgraceful.
LOL Roll Eyes

I hope Github is busy scrubbing the malicious commits and writing a blog post about it because otherwise the repo ban would be pointless.
sr. member
Activity: 1666
Merit: 310
March 30, 2024, 08:48:18 AM
#9
A rare case of an open-source project being compromised... imagine if this happens to a Bitcoin wallet.

Do we know who exactly committed the code? You need to have privileges to do that.

Ironically the backdoor was inserted by the maintainer himself, who goes by the name "Jia Tan" (@JiaT75 on github).

The other maintainer took a leave of absence and is probably unaware of all these flying monkeys in his codebase.
Yeah, I found more info here:

https://boehs.org/node/everything-i-know-about-the-xz-backdoor



Quote
As of 9:00 PM UTC, GitHub has suspended JiaT75’s account. Thanks? They also banned the repository, meaning people can no longer audit the changes made to it without resorting to mirrors. Immensely helpful, GitHub. They also suspended Lasse Collin’s account, which is completely disgraceful.
LOL Roll Eyes
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 30, 2024, 08:38:08 AM
#8
A rare case of an open-source project being compromised... imagine if this happens to a Bitcoin wallet.

Do we know who exactly committed the code? You need to have privileges to do that.

Ironically the backdoor was inserted by the maintainer himself, who goes by the name "Jia Tan" (@JiaT75 on github).

The other maintainer took a leave of absence and is probably unaware of all these flying monkeys in his codebase.
sr. member
Activity: 1666
Merit: 310
March 30, 2024, 08:22:28 AM
#7
Basically it contains a backdoor to completely bypass your SSH authentication. All signs point to it being planted by a malicious actor running the project. It is undetectable by sanitizers and fuzz testing tools.
I bet state actor? Maybe CIA or similar.
A rare case of an open-source project being compromised... imagine if this happens to a Bitcoin wallet.

Do we know who exactly committed the code? You need to have privileges to do that.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 30, 2024, 06:34:16 AM
#6
Do we have access to the repository? Both Larhzu and JiaT75 github accounts are suspended, and their repository is disabled. I tried checking their commits with web archive, but no non-disabled pages were archived (except this, which doesn't reveal anything important).

There are a few mirrors of the repo linked in the hacker news page, like https://github.com/xz-mirror/xz
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
March 30, 2024, 05:41:03 AM
#5
Do we have access to the repository? Both Larhzu and JiaT75 github accounts are suspended, and their repository is disabled. I tried checking their commits with web archive, but no non-disabled pages were archived (except this, which doesn't reveal anything important).

It's one of few times where i'm glad i choose conservative distro like Debian. It's also crazy it took months before it's detected.
Didn't Debian import it in their packages as Ubuntu?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 30, 2024, 04:56:43 AM
#4
That’s actually insane. This could have spread to every single Ubuntu/Debian machine with an SSH server in the world and stayed there for years. Imagine having the key to hack basically every server there is (with ssh). Tongue

And all it took was a single guy trying to fix some unexpected latency on his machine. Cheesy

I bet state actor? Maybe CIA or similar.

The discovery was a very close timing. Ubuntu was about to release 24.04 LTS in a matter of days. It would have had a devastating effect had the LTS release ship with an SSH backdoor, because it's used on most servers. Debian too.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
March 30, 2024, 04:52:08 AM
#3
It's one of few times where i'm glad i choose conservative distro like Debian. It's also crazy it took months before it's detected.

I bet state actor? Maybe CIA or similar.

That seems plausible.
legendary
Activity: 2758
Merit: 6830
March 30, 2024, 04:16:02 AM
#2
That’s actually insane. This could have spread to every single Ubuntu/Debian machine with an SSH server in the world and stayed there for years. Imagine having the key to hack basically every server there is (with ssh). Tongue

And all it took was a single guy trying to fix some unexpected latency on his machine. Cheesy

I bet state actor? Maybe CIA or similar.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 29, 2024, 10:34:00 PM
#1
There is a very serious vulnerability in the xz compression program that was just found and has made its way to versions 5.6.0 and 5.6.1:

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://news.ycombinator.com/item?id=39865810
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

Basically it contains a backdoor to completely bypass your SSH authentication. All signs point to it being planted by a malicious actor running the project. It is undetectable by sanitizers and fuzz testing tools.

Fortunately the major distributions such as Ubuntu had not packaged it yet.

I am aware that most people reading this are not using SSH or have servers for this, but this particular actor has a large footprint in other open source projects so there is no guarantee that local services that you might actually use in your Waller's PC are not affected by a different vulnerability.
Jump to: