XZ Backdoor discovered

Discussion in 'General Linux Discussion' started by Daerandin, Mar 30, 2024.

  1. Daerandin

    Daerandin Well-Known Member

    Joined:
    Oct 18, 2013
    Messages:
    1,157
    Likes Received:
    258
    Trophy Points:
    83
    Location:
    Northern Norway
    Home page:
    Yesterday it was announced that a backdoor was discovered in liblzma which seems to specifically target sshd. The unique thing here is that all evidence points to one of the XZ devs doing this intentionally. The same dev have contributed code to several other projects, so there's a lot of digging now to verify if this other code could potentionally introduce vulnerabilities.

    The original announcement is here: https://www.openwall.com/lists/oss-security/2024/03/29/4

    As I am writing this, the XZ repo on github has been disabled for now, and all affected distros have already released fixed versions.

    This backdoor appear to be very well made, and it only triggers under certain specific build conditions. Only Debian and Fedora seems to be targeted, as they have patched openssh to link to libsystemd, which links to liblzma, which is how the backdoor is invoked. I'm just hoping there is no more malicious code that just haven't been detected yet, or more undiscovered functionality to this backdoor.
  2. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,339
    Likes Received:
    624
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
    Thank you for the "heads up"
    Are we at risk on Mint?
    As far as I know SSH is disabled by default in Debian & Mint.

    When I try to connect to another PC in my network it always says "Port 22 Connection Refused"
  3. Daerandin

    Daerandin Well-Known Member

    Joined:
    Oct 18, 2013
    Messages:
    1,157
    Likes Received:
    258
    Trophy Points:
    83
    Location:
    Northern Norway
    Home page:
    Mint never started using any of the known compromised versions of xz, so you were never at risk on Mint.

    Arch did package the compromised versions, but the exploit was made to be difficult to detect, and as such would not build on any other systems than debian/fedora systems are derivatives.

    The scary thing about this is that the malicious dev have been a maintainer of the xz project for 2 years, and also made code contributions to several other projects, among then libarchive which is a widely used project. I'm just hoping most of the contributions were not malicious and maybe just an attempt at building credibility. This was either someone playing the long game, or had their account compromised.
    booman likes this.
  4. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,339
    Likes Received:
    624
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
    Wow, what a scary scandalous situation! Developers working on an open-source project for the good of Linux and someone secretly using for malicious purposes. I would hate to be that developer when they found out.

    This is something I never considered before... I'm sure open-source developers consider security when creating code. You would have to think of ways to exploit your code to make it secure.
  5. Daerandin

    Daerandin Well-Known Member

    Joined:
    Oct 18, 2013
    Messages:
    1,157
    Likes Received:
    258
    Trophy Points:
    83
    Location:
    Northern Norway
    Home page:
    I have been reading up on other reports, and it really seems like this was a developer creating the backdoor on purpose. This person worked over time to gain trust from the xz maintainer, until they got co-maintainer status. This person was also working with Fedora devs to get the new and malicious version packaged by Fedora.

    This malicious dev has gone dark after the discovery. The original maintainer of xz has not made any public comments yet, probably a huge shock for them too when they learned that a trusted co-maintainer was actually malicious.
  6. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,339
    Likes Received:
    624
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
    That is crazy! Someone needs a better hobby than maliciously deceiving developers who make open source code.
  7. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,282
    Likes Received:
    172
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    IMO this was a carefully planned and orchestrated attack, probably for a state actor. I just don't see someone doing this for the LOLs.
  8. Daerandin

    Daerandin Well-Known Member

    Joined:
    Oct 18, 2013
    Messages:
    1,157
    Likes Received:
    258
    Trophy Points:
    83
    Location:
    Northern Norway
    Home page:
    Agreed, that seems to be the most likely answer.

Share This Page