From Newsgroup: comp.os.linux.misc

I just saw this while looking through a news feed.

https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

I have not read the entire article yet, but it has been said to have been
found accidentally.

pH in Aptos
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

pH wrote:

I just saw this while looking through a news feed.

https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

I have not read the entire article yet, but it has been said to have been found accidentally.

pH in Aptos

"stop using Fedora 41" sounds pretty serious....
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

In comp.os.linux.misc, pH <wNOSPAMp@gmail.org> wrote:

I just saw this while looking through a news feed.

https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

I have not read the entire article yet, but it has been said
to have been
found accidentally.

The initial report is quite readable:

https://www.openwall.com/lists/oss-security/2024/03/29/4

Found because someone was trying to benchmark something else and ssh was
using noticable cpu. An exploit hidden by a multi-year contributor who
got promoted to maintainer. The exploit is hidden in a "bad" xz
compessed "test" file, a simple use of `tr` repairing the file. Today's
exploit specifically targets sshd on Debian, but there's no reason to
think that this was a final target instead of a first target.

Elijah
------
Easter weekend security scamble
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 30/03/24 02:53, pH wrote:

I just saw this while looking through a news feed.

https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

I have not read the entire article yet, but it has been said to have been found accidentally.

pH in Aptos

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?
--
1) Resistere, resistere, resistere.
2) Se tutti pagano le tasse, le tasse le pagano tutti
MarioCPPP

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Eli the Bearded <*@eli.users.panix.com> wrote:

The initial report is quite readable:

https://www.openwall.com/lists/oss-security/2024/03/29/4

Found because someone was trying to benchmark something else and ssh was using noticable cpu. An exploit hidden by a multi-year contributor who
got promoted to maintainer. The exploit is hidden in a "bad" xz
compessed "test" file, a simple use of `tr` repairing the file. Today's exploit specifically targets sshd on Debian, but there's no reason to
think that this was a final target instead of a first target.

True, though that post does mention that the exploit actually
relies on a Debian patch to OpenSSH which causes sshd to be linked
to the XZ compression library via a dependency on libsystemd:
"openssh does not directly use liblzma. However debian and several
other distributions patch openssh to support systemd notification,
and libsystemd does depend on lzma."

This post provides a patch for starting a child process from sshd
to talk to Systemd then exit, instead of linking the SSH server
to libsystemd directly. So it's not the only way that Systemd
integration can be done by distros (if they feel compelled to do it
at all).
https://www.openwall.com/lists/oss-security/2024/03/29/23

They also point out how many libraries are unnecessarily linked to
sshd by existing distro patches. On RHEL 9.x they say "ldd sshd"
lists 28 dynamically-linked libraries, but for their "Rocky Linux
SIG/Security override package" they've got it down to 13.

On Debian 11 (bookworm) with OpenSSH_8.4p1 I see by running ldd on
/sbin/sshd that it's linked to 31 libraries. But on Tiny Core Linux
14, which doesn't use Systemd, OpenSSH_9.5p1 links to only 8
libraries, and doesn't link to liblzma.

On OpenWRT 23 I use Dropbear v2022.82 and ldd shows that it links
to just 3 libraries!

So the attack surface of the SSH server process varies wildly
between distros. Indeed my first thought when I read about this was
"Huh, I didn't know that OpenSSH supported XZ compression". Turns
out it doesn't, but Systemd does.
--
__ __
#_ < |\| |< _#
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

On 30/03/24 02:53, pH wrote:

I just saw this while looking through a news feed.

https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

I have not read the entire article yet, but it has been said to have been
found accidentally.

pH in Aptos

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian, so unless you're running that it's unlikely to matter.
But the advice is to downgrade (which may be effected now as an
upgrade within package managers) from the affected liblzma versions
5.6.0 and 5.6.1 to a previous version if you're not using an older
verison already anyway.

Here's a summary of the problem and what to do: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

Linked from this official page on the XZ Utils project author's
website:
https://tukaani.org/xz-backdoor/
--
__ __
#_ < |\| |< _#
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).
--
__ __
#_ < |\| |< _#
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc



On Sun, 31 Mar 2024, Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

How is this exploited? Does it require login/pw?

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

presumably wanted to get into Suse enterprise as well, but that is less
clear. It got to Tumbleweed, however that is too far removed from
enterprise. They tried to get it into next Ubuntu but failed.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

pH <wNOSPAMp@gmail.org> wrote:

I just saw this while looking through a news feed.

https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

I have not read the entire article yet, but it has been said to
have been found accidentally.

pH in Aptos

Thanks, here is another interesting link that describes how
the issue occurred and indicates why *BSD and Distros like
Slackware would not be vulnerable.

https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
--
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On Sun, 31 Mar 2024 11:29:08 +0200, D wrote:

On Sun, 31 Mar 2024, Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

How is this exploited? Does it require login/pw?

An "infected" system just needs an SSH server exposed to the internet
to be exploited. The "bad actor" uses a pre-built key to initiate
contact and contact doesn't go any further than key validation.

However, the key validation of a bad-actor key causes SSHd to extract
a payload from the key, and pass that payload to a system(3) call.

So, while the "bad actor" initiator never officially "logs on" to
the system (no userid, etc), they are afforded sshd privilege-level
access to the system to run commands.

HTH
--
Lew Pitcher
"In Skills We Trust"
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 2024-03-31 01:22, Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

openSUSE Tumbleweed and openSUSE MicroOS are affected.

Not Leap nor SLES.
--
Cheers, Carlos.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 2024-03-31, Lew Pitcher wrote:

On Sun, 31 Mar 2024 11:29:08 +0200, D wrote:

On Sun, 31 Mar 2024, Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

How is this exploited? Does it require login/pw?

An "infected" system just needs an SSH server exposed to the internet
to be exploited. The "bad actor" uses a pre-built key to initiate
contact and contact doesn't go any further than key validation.

However, the key validation of a bad-actor key causes SSHd to extract
a payload from the key, and pass that payload to a system(3) call.

So, while the "bad actor" initiator never officially "logs on" to
the system (no userid, etc), they are afforded sshd privilege-level
access to the system to run commands.

HTH

If I understand correctly (please correct me if I'm wrong!), it's a certificate, not a key. While this may sound like nitpicking, in this
case it seems to matter a lot, because for *certificates*, the hijacked function is invoked even if certificate authentication is not enabled.

https://bugzilla.mindrot.org/show_bug.cgi?id=3675
--
Nuno Silva
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On Sun, 31 Mar 2024 16:45:08 +0100, Nuno Silva wrote:

On 2024-03-31, Lew Pitcher wrote:

On Sun, 31 Mar 2024 11:29:08 +0200, D wrote:

On Sun, 31 Mar 2024, Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

How is this exploited? Does it require login/pw?

An "infected" system just needs an SSH server exposed to the internet
to be exploited. The "bad actor" uses a pre-built key to initiate
contact and contact doesn't go any further than key validation.

However, the key validation of a bad-actor key causes SSHd to extract
a payload from the key, and pass that payload to a system(3) call.

So, while the "bad actor" initiator never officially "logs on" to
the system (no userid, etc), they are afforded sshd privilege-level
access to the system to run commands.

HTH

If I understand correctly (please correct me if I'm wrong!), it's a certificate, not a key. While this may sound like nitpicking, in this
case it seems to matter a lot, because for *certificates*, the hijacked function is invoked even if certificate authentication is not enabled.

https://bugzilla.mindrot.org/show_bug.cgi?id=3675

I believe that you are correct. My memory of the details was incorrect.
--
Lew Pitcher
"In Skills We Trust"
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.

My understanding is that effectively the differentiating factor of if a
distro is impacted or not is if it uses systemd or not.

Purportedly sshd itself doesn't use xz. But sshd built on / for systemd distros end up having xz added as a library / dependency because of
systemd compatibility because systemd does use xz for things.

As such, my supposition is that, things like *BSD, Slackware, and Gentoo (OpenRC old default) aren't affected because they don't have -> use systemd.
--
Grant. . . .
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On Sun, 31 Mar 2024 10:23:41 -0400, Carlos E.R. <robin_listas@es.invalid> wrote:

On 2024-03-31 01:22, Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

openSUSE Tumbleweed and openSUSE MicroOS are affected.

Not Leap nor SLES.

Mageia is not affected either. The 5.6.0 and 5.6.1 versions were not imported into Mageia.

Regards, Dave Hodgins
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Nuno Silva <nunojsilva@invalid.invalid> wrote:

On 2024-03-31, Lew Pitcher wrote:

On Sun, 31 Mar 2024 11:29:08 +0200, D wrote:

How is this exploited? Does it require login/pw?

An "infected" system just needs an SSH server exposed to the internet
to be exploited. The "bad actor" uses a pre-built key to initiate
contact and contact doesn't go any further than key validation.

However, the key validation of a bad-actor key causes SSHd to extract
a payload from the key, and pass that payload to a system(3) call.

So, while the "bad actor" initiator never officially "logs on" to
the system (no userid, etc), they are afforded sshd privilege-level
access to the system to run commands.

HTH

If I understand correctly (please correct me if I'm wrong!), it's a certificate, not a key. While this may sound like nitpicking, in
this case it seems to matter a lot, because for *certificates*, the
hijacked function is invoked even if certificate authentication is
not enabled.

https://bugzilla.mindrot.org/show_bug.cgi?id=3675

Given that it is a "backdoor", nitpicking whether it is a 'key' or a 'certificate' for activation is a bit of bikeshedding. It hardly
matters that the bad actor used a "key" or a "certificate" to open
their backdoor when they get the ability to run arbitrary commands on
your system as the root user because of that same backdoor.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On Sun, 31 Mar 2024 12:05:58 -0400, Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.

My understanding is that effectively the differentiating factor of if a distro is impacted or not is if it uses systemd or not.

sshd supports compression. xz is an option for how things are compressed.

Regards, Dave Hodgins
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.

My understanding is that effectively the differentiating factor of if
a distro is impacted or not is if it uses systemd or not.

Yes, this seems to have been part of the "connection".

Purportedly sshd itself doesn't use xz.

It does not. Directly that is.

But sshd built on / for systemd distros end up having xz added as a
library / dependency because of systemd compatibility because systemd
does use xz for things.

Some distros, in their zeal to "systemd all the things" patch OpenSSH
to link it to a systemd library for logging purposes. That addition of
a systemd library for logging is what ultimately linked the xz/lzma
library into OpenSSH because somewhere in that systemd libraries
dependency chain was libxz/lzma.

As such, my supposition is that, things like *BSD, Slackware, and
Gentoo (OpenRC old default) aren't affected because they don't have

use systemd.

They are not, because their OpenSSH is not linked to libxz/lzma in any
way.

But.... this is nearly a "Reflections on Trusting Trust" [1] level
opsec. attempt, and so just because BSD/Slackware/Gentoo happen to be
immune this time, does not mean they would be immune to another opsec. attempt against an OpenSSH direct dependency which might gain a
similarly well hidden backdoor.

On my Slack 15.0 system, sshd directly links to the following
libraries:

$ ldd /usr/sbin/sshd
linux-vdso.so.1 (0x00007ffee1ab9000)
libnsl.so.2 => /lib64/libnsl.so.2 (0x00007fdb09586000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007fdb09575000)
libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fdb09290000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fdb0928b000)
libutil.so.1 => /lib64/libutil.so.1 (0x00007fdb09286000)
libz.so.1 => /lib64/libz.so.1 (0x00007fdb0926c000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fdb09230000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fdb09216000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fdb091c4000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fdb090ed000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fdb090bf000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fdb090b9000)
libc.so.6 => /lib64/libc.so.6 (0x00007fdb08ed8000)
libtirpc.so.3 => /lib64/libtirpc.so.3 (0x00007fdb08ea8000)
/lib64/ld-linux-x86-64.so.2 (0x00007fdb096cf000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fdb08e87000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00007fdb08e78000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fdb08e71000)

A similar backdoor in any one of these would open up sshd for remote
access, even though I have no systemd anywhere on my system.

[1] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On Sun, 31 Mar 2024 12:26:20 -0400, Rich <rich@example.invalid> wrote:

Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.

My understanding is that effectively the differentiating factor of if
a distro is impacted or not is if it uses systemd or not.

Yes, this seems to have been part of the "connection".

Purportedly sshd itself doesn't use xz.

It does not. Directly that is.

But sshd built on / for systemd distros end up having xz added as a
library / dependency because of systemd compatibility because systemd
does use xz for things.

Some distros, in their zeal to "systemd all the things" patch OpenSSH
to link it to a systemd library for logging purposes. That addition of
a systemd library for logging is what ultimately linked the xz/lzma
library into OpenSSH because somewhere in that systemd libraries
dependency chain was libxz/lzma.

As such, my supposition is that, things like *BSD, Slackware, and
Gentoo (OpenRC old default) aren't affected because they don't have

use systemd.

They are not, because their OpenSSH is not linked to libxz/lzma in any
way.

The link to systemd is an after the fact detail. Likely systemd was intended
as another target, but the attack was caught before it got that far.

The key in deciding whether or not a distribution is impacted, is whether
or not it includes version 5.6.0 or 5.6.1 of xz.

The remote code execution is in those versions of the xz package.

Once the RCE is available, ssh is vulnerable as sshd supports compression
and xz is one option for compression. It doesn't matter whether xz is linked
in to sshd or called at run time to decompress the data.

https://gynvael.coldwind.pl/?lang=en&id=782
https://tukaani.org/xz-backdoor/

The RCE just happened to be found while running detailed timing tests that included sshd with xz compression support. It impacts anything that supports using xz as a compression utility, or any xz decompression of untrusted input by an end user or other system service.

Regards, Dave Hodgins
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Sun, 31 Mar 2024 12:05:58 -0400, Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.

My understanding is that effectively the differentiating factor of if a
distro is impacted or not is if it uses systemd or not.

sshd supports compression. xz is an option for how things are compressed.

ssh supports zlib compression. It (ssh) does not offer lzma/xz as a compression option.

xz got pulled into ssh on systemd systems because systemd supports
using xz/lzma for journald compression, and it is therefore a
dependency of libsystemd. Some distros patch sshd to link to
libsystemd so that their sshd can "notify" systemd that it is up via a
call to a libsystemd function.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 2024-03-31 18:26, Rich wrote:

Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.

My understanding is that effectively the differentiating factor of if
a distro is impacted or not is if it uses systemd or not.

Yes, this seems to have been part of the "connection".

Purportedly sshd itself doesn't use xz.

It does not. Directly that is.

But sshd built on / for systemd distros end up having xz added as a
library / dependency because of systemd compatibility because systemd
does use xz for things.

Some distros, in their zeal to "systemd all the things" patch OpenSSH
to link it to a systemd library for logging purposes. That addition of
a systemd library for logging is what ultimately linked the xz/lzma
library into OpenSSH because somewhere in that systemd libraries
dependency chain was libxz/lzma.

As such, my supposition is that, things like *BSD, Slackware, and
Gentoo (OpenRC old default) aren't affected because they don't have

use systemd.

They are not, because their OpenSSH is not linked to libxz/lzma in any
way.

But.... this is nearly a "Reflections on Trusting Trust" [1] level
opsec. attempt, and so just because BSD/Slackware/Gentoo happen to be
immune this time, does not mean they would be immune to another opsec. attempt against an OpenSSH direct dependency which might gain a
similarly well hidden backdoor.

A well funded bad actor will likely find a target to do their thing.
They did not attack systemd directly, but a small auxiliary library from another project, one that had little attention from developers. Once
this hole is plugged, they will seek another one.

That was a two year investment to plant a mole. There might be others.
--
Cheers, Carlos.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On Sun, 31 Mar 2024 13:38:32 -0400, Rich <rich@example.invalid> wrote:

David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Sun, 31 Mar 2024 12:05:58 -0400, Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.

My understanding is that effectively the differentiating factor of if a
distro is impacted or not is if it uses systemd or not.

sshd supports compression. xz is an option for how things are compressed.

ssh supports zlib compression. It (ssh) does not offer lzma/xz as a compression option.

xz got pulled into ssh on systemd systems because systemd supports
using xz/lzma for journald compression, and it is therefore a
dependency of libsystemd. Some distros patch sshd to link to
libsystemd so that their sshd can "notify" systemd that it is up via a
call to a libsystemd function.

Perhaps ssh is only impacted on systemd systems, but anything processing untrusted xz compressed files, such as clamav is still vulnerable, so the statement that only systems using systemd are vulnerable is not correct.

Any system using xz 5.6.0 or 5.6.1 is vulnerable.

Regards, Dave Hodgins
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On Sun, 31 Mar 2024 14:51:06 -0400, David W. Hodgins wrote:

On Sun, 31 Mar 2024 13:38:32 -0400, Rich <rich@example.invalid> wrote:

David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Sun, 31 Mar 2024 12:05:58 -0400, Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue >>>>> occurred and indicates why *BSD and Distros like Slackware would not >>>>> be vulnerable.

My understanding is that effectively the differentiating factor of if a >>>> distro is impacted or not is if it uses systemd or not.

sshd supports compression. xz is an option for how things are compressed. >>

ssh supports zlib compression. It (ssh) does not offer lzma/xz as a
compression option.

xz got pulled into ssh on systemd systems because systemd supports
using xz/lzma for journald compression, and it is therefore a
dependency of libsystemd. Some distros patch sshd to link to
libsystemd so that their sshd can "notify" systemd that it is up via a
call to a libsystemd function.

Perhaps ssh is only impacted on systemd systems, but anything processing untrusted xz compressed files, such as clamav is still vulnerable, so the statement that only systems using systemd are vulnerable is not correct.

Any system using xz 5.6.0 or 5.6.1 is vulnerable.

In theory, yes. And, "its better to be safe than sorry"

But, from my (admittedly very limited) understanding of the backdoor (as currently exposed), the bad code in xz specifically targets sshd, and (from current indications) no other application.

Still, if I had one of the suspicious xz/liblzma packages installed, I'd
not hesitate to "nuke it from orbit" and replace it with a known-good version.

Again, "its better to be safe than sorry".
--
Lew Pitcher
"In Skills We Trust"
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 3/31/24 11:13, David W. Hodgins wrote:

sshd supports compression. xz is an option for how things are compressed.

I've read multiple reports that OpenSSH upstream does not support xz compression.

Yes, OpenSSH does support multiple forms of compression, but xz is not
one of the form supported by upstream OpenSSH proper.

xz support was brought in by things downstream.
--
Grant. . . .
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 3/31/24 11:26, Rich wrote:

But.... this is nearly a "Reflections on Trusting Trust" [1]
level opsec. attempt, and so just because BSD/Slackware/Gentoo
happen to be immune this time, does not mean they would be immune to
another opsec. attempt against an OpenSSH direct dependency which
might gain a similarly well hidden backdoor.

N.B. there is a big difference in saying that *BSD / Slackware / Gentoo (OpenRC) aren't effected by the topic at hand because they aren't using systemd and saying that they are obviously more secure because they
aren't vulnerable to the topic at hand.

The former statement is probably relatively safe. The latter statement
is almost certainly unsafe.
--
Grant. . . .
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 31.03.2024 um 19:15 Uhr Lew Pitcher wrote:

Still, if I had one of the suspicious xz/liblzma packages installed,
I'd not hesitate to "nuke it from orbit" and replace it with a
known-good version.

The big trouble with that: You need to think that your entire system is compromised, including the files you had there, passwords you typed,
private keys used.
--
kind regards
Marco

Send spam to 1711905334muell@cartoonies.org

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 3/31/24 11:41, David W. Hodgins wrote:

The link to systemd is an after the fact detail. Likely systemd was
intended as another target, but the attack was caught before it got
that far.

I don't think it's proper to consider something to be after the fact
when it is an integral link in the chain for the vulnerability to be exploitable.

The key in deciding whether or not a distribution is impacted, is
whether or not it includes version 5.6.0 or 5.6.1 of xz.

I agree that it's possible for a non-systemd distro to have the bad
versions of xz.

But it is almost certain that OpenSSH on that non-systemd distro won't
be effected because it doesn't have support for xz in sshd.

The sshd vector requires all three components, sshd and systemd and xz.

If you remove systemd from that chain, sshd doesn't have xz in it and as
such sshd isn't vulnerable to this attack even if the vulnerable xz is
on the system.

At least that's my understanding.

The remote code execution is in those versions of the xz package.

And that RCE in the xz package isn't incorporated into sshd on
non-systemd distros.

Once the RCE is available, ssh is vulnerable as sshd supports
compression and xz is one option for compression.

OpenSSH / sshd upstream doesn't support xz as a compression.

Some distros have modified to make OpenSSH / sshd play nicer with
systemd and it's that modification that pulls xz in as a dependency.

So if your OpenSSH / sshd isn't ""enhanced - scoff - to support systemd,
then it will not have xz support. If your OpenSSH / sshd doesn't have
xz support then it's not vulnerable to the xz compromise.

It doesn't matter whether xz is linked in to sshd or called at run
time to decompress the data.

https://gynvael.coldwind.pl/?lang=en&id=782
https://tukaani.org/xz-backdoor/

The RCE just happened to be found while running detailed timing
tests that included sshd with xz compression support. It impacts
anything that supports using xz as a compression utility, or any
xz decompression of untrusted input by an end user or other system
service.

I question the veracity of that.

There may be a root hole in xz that matches what you say.

But my understanding of the xz RCE is that it is specifically written
for xz to be indirectly pulled into OpenSSH / sshd via systemd and that
it is expecting very specific behavior / assumptions. I seriously doubt
that those assumptions will be valid in other things.

Could the root hole in xz be abused as a gadget to target other things
besides sshd-modified-for-systemd? Probably. Or at least it
conceptually could have if it hadn't been discovered.
--
Grant. . . .
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 31.03.2024 um 19:15 Uhr Lew Pitcher wrote:

Still, if I had one of the suspicious xz/liblzma packages installed,
I'd not hesitate to "nuke it from orbit" and replace it with a
known-good version.

I'm not a fan of nuke it from orbit as a knee jerk reaction that some
people have.

On 3/31/24 14:27, Marco Moock wrote:

The big trouble with that: You need to think that your entire system
is compromised, including the files you had there, passwords you typed, private keys used.

There are two primary forms of compromise here; disclosure and
alteration. The first is somewhat difficult to prove didn't happen.
The second one can be quite easy to do with good backup systems.

Good backup systems that have sufficient history can tell when files
change by comparing content (not just date / time / size / checksum).
As such you can tell what files have been modified and when. With this knowledge, you can relatively easily go back to trusted versions across
the entire system (at least what's covered by the backup).

There are almost always ways to return a system to a safe state to use.
It's just that they often take more time and effort than nuking the
entire system from orbit.
--
Grant. . . .
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 11:13, David W. Hodgins wrote:

sshd supports compression. xz is an option for how things are compressed.

I've read multiple reports that OpenSSH upstream does not support xz >compression.

Yes, OpenSSH does support multiple forms of compression, but xz is not
one of the form supported by upstream OpenSSH proper.

xz support was brought in by things downstream.

As far as I have understood this _very_ sophisticated method, ssh is
patched by various distributions with a path endorsed by the portable
openssh project to support sd_notify. This pulls in libsystemd, which
in turn pulls in the trojaned liblzma, which in turn hooks an RSA
function which is then used by the ssd to autenticate a user who tries
to log in.

For this to work, sshd does not need to use xz.

Greetings
Marc
-- ---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On Sun, 31 Mar 2024 15:40:44 -0400, Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 31.03.2024 um 19:15 Uhr Lew Pitcher wrote:

Still, if I had one of the suspicious xz/liblzma packages installed,
I'd not hesitate to "nuke it from orbit" and replace it with a
known-good version.

I'm not a fan of nuke it from orbit as a knee jerk reaction that some
people have.

On 3/31/24 14:27, Marco Moock wrote:

The big trouble with that: You need to think that your entire system
is compromised, including the files you had there, passwords you typed,
private keys used.

There are two primary forms of compromise here; disclosure and
alteration. The first is somewhat difficult to prove didn't happen.
The second one can be quite easy to do with good backup systems.

Good backup systems that have sufficient history can tell when files
change by comparing content (not just date / time / size / checksum).
As such you can tell what files have been modified and when. With this knowledge, you can relatively easily go back to trusted versions across
the entire system (at least what's covered by the backup).

There are almost always ways to return a system to a safe state to use.
It's just that they often take more time and effort than nuking the
entire system from orbit.

That's assuming you haven't installed a root kit that can make the contents appear unchanged when read, but still have the changed version get executed.

If the changed files are on disk, booting from a clean installation, and then scanning the file system's used in that mangled system can work, but if a root kit gets into uefi firmware, detection and cleaning become potentially impossible.

Regards, Dave Hodgins
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc



On Sun, 31 Mar 2024, Lew Pitcher wrote:

On Sun, 31 Mar 2024 11:29:08 +0200, D wrote:

On Sun, 31 Mar 2024, Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

How is this exploited? Does it require login/pw?

An "infected" system just needs an SSH server exposed to the internet
to be exploited. The "bad actor" uses a pre-built key to initiate
contact and contact doesn't go any further than key validation.

However, the key validation of a bad-actor key causes SSHd to extract
a payload from the key, and pass that payload to a system(3) call.

So, while the "bad actor" initiator never officially "logs on" to
the system (no userid, etc), they are afforded sshd privilege-level
access to the system to run commands.

HTH

Thank you very much for the summary.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc



On Sun, 31 Mar 2024, Carlos E.R. wrote:

On 2024-03-31 01:22, Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

openSUSE Tumbleweed and openSUSE MicroOS are affected.

Not Leap nor SLES.

Are you sure? I check with ldd on my leap 15.5 and it links to the
compression library. But maybe another version perhaps.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc



On Sun, 31 Mar 2024, David W. Hodgins wrote:

On Sun, 31 Mar 2024 12:26:20 -0400, Rich <rich@example.invalid> wrote:

Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.

My understanding is that effectively the differentiating factor of if
a distro is impacted or not is if it uses systemd or not.

Yes, this seems to have been part of the "connection".

Purportedly sshd itself doesn't use xz.

It does not. Directly that is.

But sshd built on / for systemd distros end up having xz added as a
library / dependency because of systemd compatibility because systemd
does use xz for things.

Some distros, in their zeal to "systemd all the things" patch OpenSSH
to link it to a systemd library for logging purposes. That addition of
a systemd library for logging is what ultimately linked the xz/lzma
library into OpenSSH because somewhere in that systemd libraries
dependency chain was libxz/lzma.

As such, my supposition is that, things like *BSD, Slackware, and
Gentoo (OpenRC old default) aren't affected because they don't have

use systemd.

They are not, because their OpenSSH is not linked to libxz/lzma in any
way.

The link to systemd is an after the fact detail. Likely systemd was intended as another target, but the attack was caught before it got that far.

The key in deciding whether or not a distribution is impacted, is whether
or not it includes version 5.6.0 or 5.6.1 of xz.

The remote code execution is in those versions of the xz package.

Once the RCE is available, ssh is vulnerable as sshd supports compression
and xz is one option for compression. It doesn't matter whether xz is linked in to sshd or called at run time to decompress the data.

https://gynvael.coldwind.pl/?lang=en&id=782
https://tukaani.org/xz-backdoor/

The RCE just happened to be found while running detailed timing tests that included sshd with xz compression support. It impacts anything that supports using xz as a compression utility, or any xz decompression of untrusted input by an end user or other system service.

Regards, Dave Hodgins

And to answer my own question:

openSUSE Leap 15.5:

Name : liblzma5
Version : 5.2.3-150000.4.7.1

So not 5.6 so if I understand things correctly I should be fine.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc



On Sun, 31 Mar 2024, Carlos E.R. wrote:

On 2024-03-31 18:26, Rich wrote:

Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.

My understanding is that effectively the differentiating factor of if
a distro is impacted or not is if it uses systemd or not.

Yes, this seems to have been part of the "connection".

Purportedly sshd itself doesn't use xz.

It does not. Directly that is.

But sshd built on / for systemd distros end up having xz added as a
library / dependency because of systemd compatibility because systemd
does use xz for things.

Some distros, in their zeal to "systemd all the things" patch OpenSSH
to link it to a systemd library for logging purposes. That addition of
a systemd library for logging is what ultimately linked the xz/lzma
library into OpenSSH because somewhere in that systemd libraries
dependency chain was libxz/lzma.

As such, my supposition is that, things like *BSD, Slackware, and
Gentoo (OpenRC old default) aren't affected because they don't have

use systemd.

They are not, because their OpenSSH is not linked to libxz/lzma in any
way.

But.... this is nearly a "Reflections on Trusting Trust" [1] level
opsec. attempt, and so just because BSD/Slackware/Gentoo happen to be
immune this time, does not mean they would be immune to another opsec.
attempt against an OpenSSH direct dependency which might gain a
similarly well hidden backdoor.

A well funded bad actor will likely find a target to do their thing. They did
not attack systemd directly, but a small auxiliary library from another project, one that had little attention from developers. Once this hole is plugged, they will seek another one.

That was a two year investment to plant a mole. There might be others.

I'm one hundred percent sure state level actors are already doing this in numerous small auxiliary libraries as well as python pip, rust, go and
others.

Seems like supply chain attacks will be the new gold when it comes to malicious attacks. =(

Is the open source community equipped to handle this?
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 2024-03-31 22:46, D wrote:

On Sun, 31 Mar 2024, Carlos E.R. wrote:

On 2024-03-31 18:26, Rich wrote:

Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 08:38, John McCue wrote:

Thanks, here is another interesting link that describes how the issue >>>>> occurred and indicates why *BSD and Distros like Slackware would not >>>>> be vulnerable.

My understanding is that effectively the differentiating factor of if
a distro is impacted or not is if it uses systemd or not.

Yes, this seems to have been part of the "connection".

Purportedly sshd itself doesn't use xz.

It does not.  Directly that is.

But sshd built on / for systemd distros end up having xz added as a
library / dependency because of systemd compatibility because systemd
does use xz for things.

Some distros, in their zeal to "systemd all the things" patch OpenSSH
to link it to a systemd library for logging purposes.  That addition of >>> a systemd library for logging is what ultimately linked the xz/lzma
library into OpenSSH because somewhere in that systemd libraries
dependency chain was libxz/lzma.

As such, my supposition is that, things like *BSD, Slackware, and
Gentoo (OpenRC old default) aren't affected because they don't have

use systemd.

They are not, because their OpenSSH is not linked to libxz/lzma in any
way.

But....  this is nearly a "Reflections on Trusting Trust" [1] level
opsec.  attempt, and so just because BSD/Slackware/Gentoo happen to be
immune this time, does not mean they would be immune to another opsec.
attempt against an OpenSSH direct dependency which might gain a
similarly well hidden backdoor.

A well funded bad actor will likely find a target to do their thing.
They did not attack systemd directly, but a small auxiliary library
from another project, one that had little attention from developers.
Once this hole is plugged, they will seek another one.

That was a two year investment to plant a mole. There might be others.

I'm one hundred percent sure state level actors are already doing this
in numerous small auxiliary libraries as well as python pip, rust, go
and others.

Seems like supply chain attacks will be the new gold when it comes to malicious attacks. =(

Is the open source community equipped to handle this?

I see a business opportunity for commercial distros.
--
Cheers, Carlos.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 2024-03-31 22:39, D wrote:

On Sun, 31 Mar 2024, Carlos E.R. wrote:

On 2024-03-31 01:22, Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

openSUSE Tumbleweed and openSUSE MicroOS are affected.

Not Leap nor SLES.

Are you sure? I check with ldd on my leap 15.5 and it links to the compression library. But maybe another version perhaps.

I am certain, from the information posted by openSUSE.

Leap uses old versions of almost everything.
--
Cheers, Carlos.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Nuno Silva <nunojsilva@invalid.invalid> writes:

On 2024-03-31, Lew Pitcher wrote:

An "infected" system just needs an SSH server exposed to the internet
to be exploited. The "bad actor" uses a pre-built key to initiate
contact and contact doesn't go any further than key validation.

However, the key validation of a bad-actor key causes SSHd to extract
a payload from the key, and pass that payload to a system(3) call.

So, while the "bad actor" initiator never officially "logs on" to
the system (no userid, etc), they are afforded sshd privilege-level
access to the system to run commands.

If I understand correctly (please correct me if I'm wrong!), it's a certificate, not a key. While this may sound like nitpicking, in this
case it seems to matter a lot, because for *certificates*, the hijacked function is invoked even if certificate authentication is not enabled.

https://bugzilla.mindrot.org/show_bug.cgi?id=3675

You’re both right: the payload is conveyed the public modulus of a (purported) RSA key, but the hooked function (RSA_public_decrypt)
performs signature verification (not key validation), and sshd’s rather
eager approach to user certificate verification seems to be the most
promising target for the attacker.

More info:
1) https://openwall.com/lists/oss-security/2024/03/29/4
2) https://openwall.com/lists/oss-security/2024/03/30/36
3) https://openwall.com/lists/oss-security/2024/03/30/37

The bit in #2 about verifying a signature under a server’s host key
doesn’t sound quite right: the attack (in the form presented in xz) only attacks sshd, which generates signatures using host keys, rather than
verifying them.

Incredibly good luck that it was spotted before it was too widely
deployed. Or bad luck if you were the originator l-)
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Grant Taylor <gtaylor@tnetconsulting.net> writes:

But my understanding of the xz RCE is that it is specifically written
for xz to be indirectly pulled into OpenSSH / sshd via systemd and
that it is expecting very specific behavior / assumptions. I
seriously doubt that those assumptions will be valid in other things.

It’s very narrowly targeted, yes: it explicitly checks it’s running in
sshd and it accepts the payload in a very specific way. I suspect this
narrow scope is intended to minimize the probability of detection.

Could the root hole in xz be abused as a gadget to target other things besides sshd-modified-for-systemd? Probably. Or at least it
conceptually could have if it hadn't been discovered.

The same technique could target any other library function used by the
victim process. To work it has to be exposed to unauthenticated data
received from the network. Given the prevalence of encryption that
explains why the crypto library was hooked: most of the rest of the
codebase only sees data that was protected by the SSH session.

For encrypted protocols, functions involved in key establishment
(ECDH/DH and their PQC successors) seem like a promising target. They’re early in a session’s lifetime, they’re not generally avoidable, and
you’d rather not start in on authentication before them (SSH includes
the shared secret in the host key signature for example).
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2024-03-31 22:46, D wrote:

Seems like supply chain attacks will be the new gold when it comes to
malicious attacks. =(

Is the open source community equipped to handle this?

I see a business opportunity for commercial distros.

Except that brings up the threat that was suggested in the article
that John McCue linked to earlier in the thread. Businesses can
simply be told by governments or anyone sufficiently powerful to
ignore a backdoor that's been put in, likely reporting any such
discovery to them instead.
--
__ __
#_ < |\| |< _#
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 3/31/24 11:26, Rich wrote:

But.... this is nearly a "Reflections on Trusting Trust" [1]
level opsec. attempt, and so just because BSD/Slackware/Gentoo
happen to be immune this time, does not mean they would be immune to
another opsec. attempt against an OpenSSH direct dependency which
might gain a similarly well hidden backdoor.

N.B. there is a big difference in saying that *BSD / Slackware / Gentoo (OpenRC) aren't effected by the topic at hand because they aren't using systemd and

Nearly exactly what I said (I left out the "because they aren't part").

saying that they are obviously more secure because they aren't
vulnerable to the topic at hand.

I said nothing of this sort. In fact what I was saying was that just
because they were missed in this shot means nothing about whether they
might be hit or missed when the next shot occurs.

The former statement is probably relatively safe. The latter statement
is almost certainly unsafe.

Yes, but I never made the latter statement.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 31.03.2024 um 14:25 Uhr Grant Taylor wrote:

N.B. there is a big difference in saying that *BSD / Slackware /
Gentoo (OpenRC) aren't effected by the topic at hand because they
aren't using systemd and saying that they are obviously more secure
because they aren't vulnerable to the topic at hand.

They are not affected because the author of the backdoor maybe intended
to only affect sshd linked to xz or simply forgot that there are
systems that won't be affected by the back door.
Linux distributions with systemd are now the vast majority, so maybe
the author didn't care about some Gentoo or slackware machines.

If he liked, he could affect them too because they most likely have
liblzma installed for other purposes. Although, sshd could be affected,
but various other packages could be if the author intended to do that.
--
kind regards
Marco

Send spam to 1711887955muell@cartoonies.org

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 31.03.2024 um 14:40 Uhr Grant Taylor wrote:

On 31.03.2024 um 19:15 Uhr Lew Pitcher wrote:

Still, if I had one of the suspicious xz/liblzma packages
installed, I'd not hesitate to "nuke it from orbit" and replace it
with a known-good version.

I'm not a fan of nuke it from orbit as a knee jerk reaction that some
people have.

I can understand that, but this is the only really secure variant.
Everything else has the probability that someone may broke in and
information got leaked.

On 3/31/24 14:27, Marco Moock wrote:

The big trouble with that: You need to think that your entire
system is compromised, including the files you had there, passwords
you typed, private keys used.

There are two primary forms of compromise here; disclosure and
alteration. The first is somewhat difficult to prove didn't happen

Although, it is a serious threat because it somebody recorded passwords
you typed or got secret keys, all of those machines can be compromised
now.

The second one can be quite easy to do with good backup systems.

Although, it can't help against disclosure and that means passwords and
keys MAY be known to others now.
--
kind regards
Marco

Send spam to 1711888844muell@cartoonies.org

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc



On Sun, 31 Mar 2024, Carlos E.R. wrote:

On 2024-03-31 22:39, D wrote:

On Sun, 31 Mar 2024, Carlos E.R. wrote:

On 2024-03-31 01:22, Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

openSUSE Tumbleweed and openSUSE MicroOS are affected.

Not Leap nor SLES.

Are you sure? I check with ldd on my leap 15.5 and it links to the
compression library. But maybe another version perhaps.

I am certain, from the information posted by openSUSE.

Leap uses old versions of almost everything.

Yes, saw that now. Thank you very much for that.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 2024-03-31 23:37, Richard Kettlewell wrote:

Incredibly good luck that it was spotted before it was too widely
deployed. Or bad luck if you were the originator l-)

I saw a post (es.comp.os.linux.redes) of someone in which the sshd had
weird peaks of high cpu (40%)
--
Cheers, Carlos.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2024-03-31 23:37, Richard Kettlewell wrote:

Incredibly good luck that it was spotted before it was too widely
deployed. Or bad luck if you were the originator l-)

I saw a post (es.comp.os.linux.redes) of someone in which the sshd
had weird peaks of high cpu (40%)

The individual who discovered the backdoor was doing some kind of
performance testing of PostgreSQL. Because of that they were
monitoring their system's processe's usage and noticed unusual CPU
usage from sshd. When they started digging into why sshd was spiking
CPU usage (because it was messing with their PostgreSQL performance monitoring) they discovered the sshd backdoor.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

Computer Nerd Kev <not@telling.you.invalid> wrote at 21:58 this Sunday (GMT):

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2024-03-31 22:46, D wrote:

Seems like supply chain attacks will be the new gold when it comes to
malicious attacks. =(

Is the open source community equipped to handle this?

I see a business opportunity for commercial distros.

Except that brings up the threat that was suggested in the article
that John McCue linked to earlier in the thread. Businesses can
simply be told by governments or anyone sufficiently powerful to
ignore a backdoor that's been put in, likely reporting any such
discovery to them instead.

And obviously, that would destroy most of the appeal of Linux.
--
user <candycane> is generated from /dev/urandom
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

In article <6609dc9f@news.ausics.net>, not@telling.you.invalid (Computer
Nerd Kev) wrote:

Except that brings up the threat that was suggested in the article
that John McCue linked to earlier in the thread. Businesses can
simply be told by governments or anyone sufficiently powerful to
ignore a backdoor that's been put in, likely reporting any such
discovery to them instead.

That would provoke a stampede away from the affected software, and a
severe risk of whistle-blowing. It could not be kept secret for long.

John
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 2024-03-31, Computer Nerd Kev <not@telling.you.invalid> wrote:

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2024-03-31 22:46, D wrote:

Seems like supply chain attacks will be the new gold when it comes to
malicious attacks. =(

Is the open source community equipped to handle this?

I see a business opportunity for commercial distros.

Except that brings up the threat that was suggested in the article
that John McCue linked to earlier in the thread. Businesses can
simply be told by governments or anyone sufficiently powerful to
ignore a backdoor that's been put in, likely reporting any such
discovery to them instead.

Or the corporations themselves can be using the back door for their
own ends. Remember the Windows 95 Registration Troj^H^H^H^HWizard?
--
/~\ Charlie Gibbs | The Internet is like a big city:
\ / <cgibbs@kltpzyxm.invalid> | it has plenty of bright lights and
X I'm really at ac.dekanfrus | excitement, but also dark alleys
/ \ if you read it the right way. | down which the unwary get mugged.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 4/1/24 03:47, Marco Moock wrote:

I can understand that, but this is the only really secure variant.

Nuke it from orbit is the only thing to have a fairly certain guarantee.
Everything else has a modicum of risk. It's a personal /
institutional choice if that risk is worth the cost of nuking from orbit
or not.

Although, it is a serious threat because it somebody recorded
passwords you typed or got secret keys, all of those machines can be compromised now.

Not necessarily.

Best practice dictates that you only allow keys to be used from known locations.

So even if the SSH key / certificate is compromised there is no
guarantee that it will work.

Best practice also dictates that keys are protected with a pass phrase, ostensibly a good pass phrase.

Although, it can't help against disclosure and that means passwords
and keys MAY be known to others now.

That's why I explicitly separated disclosing and alteration.
--
Grant. . . .
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 2024-04-01 16:03, Rich wrote:

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2024-03-31 23:37, Richard Kettlewell wrote:

Incredibly good luck that it was spotted before it was too widely
deployed. Or bad luck if you were the originator l-)

I saw a post (es.comp.os.linux.redes) of someone in which the sshd
had weird peaks of high cpu (40%)

The individual who discovered the backdoor was doing some kind of
performance testing of PostgreSQL. Because of that they were
monitoring their system's processe's usage and noticed unusual CPU
usage from sshd. When they started digging into why sshd was spiking
CPU usage (because it was messing with their PostgreSQL performance monitoring) they discovered the sshd backdoor.

No, I mean that it has been seen in the wild.

When the thread I mentioned appeared, we knew nothing of the
vulnerability, it was March 21st.
--
Cheers, Carlos.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 3/31/24 16:46, D wrote:

I'm one hundred percent sure state level actors

I'm 100% sure that usenet users without recognizable names that can be
tracked to real people and shout out irrelevant conspiracy theories need
mental health internvention and can't be taken seriously.


Reuvain
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 3/31/24 09:59, Lew Pitcher wrote:

On Sun, 31 Mar 2024 11:29:08 +0200, D wrote:

On Sun, 31 Mar 2024, Computer Nerd Kev wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

any hints to patch the vulnerability, or will it be
addressed soon and be released as security updates ?

The code was targeting Debian, and only reached the Testing version
of Debian

And RHEL, and of course all the distros based on those (or at least
those using Systemd).

How is this exploited? Does it require login/pw?

An "infected" system just needs an SSH server exposed to the internet
to be exploited. The "bad actor" uses a pre-built key to initiate
contact and contact doesn't go any further than key validation.

However, the key validation of a bad-actor key causes SSHd to extract
a payload from the key, and pass that payload to a system(3) call.

So, while the "bad actor" initiator never officially "logs on" to
the system (no userid, etc), they are afforded sshd privilege-level
access to the system to run commands.

HTH

Thanks for the rundown Lew.

Reuvain
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 02/04/24 03:34, Carlos E.R. wrote:

On 2024-04-01 16:03, Rich wrote:

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2024-03-31 23:37, Richard Kettlewell wrote:

Incredibly good luck that it was spotted before it was
too widely
deployed. Or bad luck if you were the originator l-)

I saw a post (es.comp.os.linux.redes) of someone in which
the sshd
had weird peaks of high cpu (40%)

The individual who discovered the backdoor was doing some
kind of
performance testing of PostgreSQL.  Because of that they were
monitoring their system's processe's usage and noticed
unusual CPU
usage from sshd.  When they started digging into why sshd
was spiking
CPU usage (because it was messing with their PostgreSQL
performance
monitoring) they discovered the sshd backdoor.

No, I mean that it has been seen in the wild.

When the thread I mentioned appeared, we knew nothing of the
vulnerability, it was March 21st.

apart from all tech details, had the chap that put this
backdoor in the systems been detained yet ?
--
1) Resistere, resistere, resistere.
2) Se tutti pagano le tasse, le tasse le pagano tutti
MarioCPPP

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

apart from all tech details, had the chap that put this
backdoor in the systems been detained yet ?

Last reports have been that no one knows who is behind the Jia Tan name
in real life.

So if that info is not "being withheld" then it is reasonable to
presume that no one has been detained yet.

And, if the attack, given its patience and sophistication, is as some
surmise, the work of state actors in the employ of their government
(i.e. NSA, CIA, Russia, China, North Korea, etc.) then it is unlikely
that anyone will ever be detained nor will anyone be named.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 06/04/2024 15:40, Rich wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

apart from all tech details, had the chap that put this
backdoor in the systems been detained yet ?

Last reports have been that no one knows who is behind the Jia Tan name
in real life.

Oh I think someone does..

So if that info is not "being withheld" then it is reasonable to
presume that no one has been detained yet.

And, if the attack, given its patience and sophistication, is as some surmise, the work of state actors in the employ of their government
(i.e. NSA, CIA, Russia, China, North Korea, etc.) then it is unlikely
that anyone will ever be detained nor will anyone be named.

It is at least comforting that if it were, they must not already have
such access, or they would not have bothered.
--
“It is hard to imagine a more stupid decision or more dangerous way of making decisions than by putting those decisions in the hands of people
who pay no price for being wrong.”

Thomas Sowell

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 06/04/2024 15:40, Rich wrote:

And, if the attack, given its patience and sophistication, is as some
surmise, the work of state actors in the employ of their government
(i.e. NSA, CIA, Russia, China, North Korea, etc.) then it is unlikely
that anyone will ever be detained nor will anyone be named.

It is at least comforting that if it were, they must not already have
such access, or they would not have bothered.

I don't follow that. Hackers, especially state funded hackers with
unlimited resources, will always want more options for getting into
systems. That way when one vulnerability is discovered or doesn't
apply to a particular usage case, another can be selected straight
away.

It's identical to arms development. Nobody ever stops working on
this stuff unless the money gets cut off.

What this does show is that social engineering techniques are
being used very successfully, which means it's quite likely that
similar attacks _are_ going on against other software projects.
Some probably from the same office, if not the same person, as
"Jia Tan".
--
__ __
#_ < |\| |< _#
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

On 2024-04-01 10:44, Marco Moock wrote:

On 31.03.2024 um 14:25 Uhr Grant Taylor wrote:

N.B. there is a big difference in saying that *BSD / Slackware /
Gentoo (OpenRC) aren't effected by the topic at hand because they
aren't using systemd and saying that they are obviously more secure
because they aren't vulnerable to the topic at hand.

They are not affected because the author of the backdoor maybe intended
to only affect sshd linked to xz or simply forgot that there are
systems that won't be affected by the back door.
Linux distributions with systemd are now the vast majority, so maybe
the author didn't care about some Gentoo or slackware machines.

Maybe they have certain machines in mind for attacking, and they know
what they run

And maybe another actor is working on attacking those others. They do
not want/need a single vulnerability for attacking everything. Less
surface for detection.

If he liked, he could affect them too because they most likely have
liblzma installed for other purposes. Although, sshd could be affected,
but various other packages could be if the author intended to do that.

--
Cheers, Carlos.

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

In article <eplaekx4iu.ln2@Telcontar.valinor>, robin_listas@es.invalid
(Carlos E.R.) wrote:

On 2024-04-01 10:44, Marco Moock wrote:

Linux distributions with systemd are now the vast majority, so
maybe the author didn't care about some Gentoo or slackware machines.

Maybe they have certain machines in mind for attacking, and they
know what they run

The build script part of the attack activated when building .deb or .rpm packages. If it had not been detected, it would have got into Debian
stable, and then into the vast array of derivatives, notably Ubuntu. It
would also have got into RHEL. That doesn't have direct downstreams any
more, but Rocky, Alma and Oracle follow its example in taking updated
packages, and Amazon Linux takes a fair bit of notice.

The combination of these targets would have compromised a large fraction
of the world's cloud servers. The problem for an intelligence agency
would have been finding the most interesting data, not in getting it.

John
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.os.linux.misc

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 06/04/2024 15:40, Rich wrote:

MarioCCCP <NoliMihiFrangereMentulam@libero.it> wrote:

apart from all tech details, had the chap that put this
backdoor in the systems been detained yet ?

Last reports have been that no one knows who is behind the Jia Tan name
in real life.

Oh I think someone does..

Well, obviously, the individual(s) behind the Jia Tan name know their
own name(s).

If they were, as has been surmised, for pay state actors, then their
bosses also know their names (and also may know what they were up to).

But so far we've not been made privy to those details, so if anyone
outside the ones behind the nick and/or their bosses (if they are
employed by one of the world's governments) know the names, such
details having been revealed to the greater world.

So if that info is not "being withheld" then it is reasonable to
presume that no one has been detained yet.

And, if the attack, given its patience and sophistication, is as some
surmise, the work of state actors in the employ of their government
(i.e. NSA, CIA, Russia, China, North Korea, etc.) then it is unlikely
that anyone will ever be detained nor will anyone be named.

It is at least comforting that if it were, they must not already have
such access, or they would not have bothered.

There is that. Other than a govt. sponsored entity wanting to insert
plural back doors so that should one be found, they still have another
to utilize. And in this case the backdoor was caught before it was
deployed.

On the other hand, a compression library did also give a good cover for
hiding the actual package. The actual backdoor was hiding inside
purported "broken test archives" for testing the error handling paths
of the compression library. The test data had been "broken" in a
reversible way so that the autoconf changes could "unbreak" the xz
archives and actually extract the payloads.

Other libraries that are not parsers for binary data formats will not
normally have binary test data blobs for their unit tests in their
tests section, so any back door code has fewer hidden 'caves' into
which to hide itself. Note, I'm not saying this means non-crompression libraries are /safe/ from an attack like this. All I'm saying is there
are fewer hidden corners to stuff things when there are no binary blobs
as part of the build/test process. So the process of hiding the
payload from view becomes much more difficult.

--- Synchronet 3.20a-Linux NewsLink 1.114