Kevin Beaumont
HT to @wdormann here - somebody has backdoored the open source project XZ which has downstream impacts.
For example, although OpenSSH doesn’t use XZ, Debian patch OpenSSH and introduced a dependency which translates as the XZ changes introducing a sshd authentication bypass backdoor it appears.
One dude bothered to investigate in his free time about why ssh was running slow, so it was caught fairly early - i.e. hopefully before distros started bundling it.
Kevin Beaumont
Worryingly it looks like the backdoor comes via one of the two main devs and dates back over a month from their GitHub account, with legit commits too - XZ is used in systemd so this one might play out for a while.
Kevin Beaumont
I suspect distros probably want to roll XZ back to around January 2024, stop bundling updates until the developer is removed in GitHub or a logical explanation can be given, and somebody needs to fund a code review of it.
Kevin Beaumont
As I said, the impact here will be very limited due to how quick it was caught. Everybody owes the finder a beer.
Kevin Beaumont
Postgre developer @AndresFreundTec saving Linux security from backdoors as a side of desk activity
Kevin Beaumont
CISA advisory: Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
Kevin Beaumont
The person/account on XZ repo also altered the security disclosure policy on that and other repos they author in months prior.
Kevin Beaumont
Interesting find by @fuomag9 - the XZ repo person tried getting Ubuntu to update yesterday by filing a bug report https://bugs.launchpad.net/bugs/2059417
Kevin Beaumont
The Twilight zone time - a bug from 2015 comes back around in XZ incident, it appears https://github.com/google/sanitizers/issues/342
Kevin Beaumont
Multiple different XZ repos and website have been suspended by GitHub.
Kevin Beaumont
Back in 2022 a host of characters appeared and basically bullied the creator of the XZ project to hand it over to somebody else - at the time the guy cited mental health issues around not updating the project quickly.
At the time he was already talking about maybe handing over to the account who years later introduced the backdoor.
In mid 2023 said account introduced a change to Google’s OSS Fuzzer to weaken detection for XZ.
Somebody played a years long game of Jenga and lost.
Kevin Beaumont
Before everybody high fives each other, this is how the backdoor was found: somebody happened to look at why CPU usage had increased in sshd, and did all the research and notification work themselves. By this point the backdoor had been there for a month unnoticed.
https://mastodon.social/@AndresFreundTec/112180406142695845
I’ve made the joke before that if GCHQ aren’t introducing backdoors and vulns in open source that I want a tax refund. It wasn’t a joke. And it won’t be just be GCHQ.
Khleedril
@GossiTheDog I'm sure the finder is basking in kudos right now! Good on them.
maswan
@GossiTheDog
One could argue that your tax money should also be spent by GCHQ to happen to look into increased CPU usage after some weird lib update in all the places where they didn't plant anything.
maswan
@GossiTheDog
Denying foreign actors access to UK companies secrets isn't in under economic advantage?
Ours actually has that in there (especially for govt entities and suppliers), as does (theoretically) NSA.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.