XZ Backdoor discovered

[Daerandin]

Yesterday it was announced that a backdoor was discovered in liblzma which seems to specifically target sshd. The unique thing here is that all evidence points to one of the XZ devs doing this intentionally. The same dev have contributed code to several other projects, so there's a lot of digging now to verify if this other code could potentionally introduce vulnerabilities.

The original announcement is here: https://www.openwall.com/lists/oss-security/2024/03/29/4

As I am writing this, the XZ repo on github has been disabled for now, and all affected distros have already released fixed versions.

This backdoor appear to be very well made, and it only triggers under certain specific build conditions. Only Debian and Fedora seems to be targeted, as they have patched openssh to link to libsystemd, which links to liblzma, which is how the backdoor is invoked. I'm just hoping there is no more malicious code that just haven't been detected yet, or more undiscovered functionality to this backdoor.

 

[booman]

Thank you for the "heads up"
Are we at risk on Mint?
As far as I know SSH is disabled by default in Debian & Mint.

When I try to connect to another PC in my network it always says "Port 22 Connection Refused"

 

[Daerandin]

Mint never started using any of the known compromised versions of xz, so you were never at risk on Mint.

Arch did package the compromised versions, but the exploit was made to be difficult to detect, and as such would not build on any other systems than debian/fedora systems are derivatives.

The scary thing about this is that the malicious dev have been a maintainer of the xz project for 2 years, and also made code contributions to several other projects, among then libarchive which is a widely used project. I'm just hoping most of the contributions were not malicious and maybe just an attempt at building credibility. This was either someone playing the long game, or had their account compromised.

 

[booman]

Wow, what a scary scandalous situation! Developers working on an open-source project for the good of Linux and someone secretly using for malicious purposes. I would hate to be that developer when they found out.

This is something I never considered before... I'm sure open-source developers consider security when creating code. You would have to think of ways to exploit your code to make it secure.

 

[Daerandin]

I have been reading up on other reports, and it really seems like this was a developer creating the backdoor on purpose. This person worked over time to gain trust from the xz maintainer, until they got co-maintainer status. This person was also working with Fedora devs to get the new and malicious version packaged by Fedora.

This malicious dev has gone dark after the discovery. The original maintainer of xz has not made any public comments yet, probably a huge shock for them too when they learned that a trusted co-maintainer was actually malicious.

 

[booman]

That is crazy! Someone needs a better hobby than maliciously deceiving developers who make open source code.

 

[Gizmo]

IMO this was a carefully planned and orchestrated attack, probably for a state actor. I just don't see someone doing this for the LOLs.

 

[Daerandin]

IMO this was a carefully planned and orchestrated attack, probably for a state actor. I just don't see someone doing this for the LOLs.

Agreed, that seems to be the most likely answer.