Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://sakurajima.social/notes/9rh8cgu0ip">Mika (irfan@sakurajima.social)'s status on Saturday, 30-Mar-2024 15:23:49 JST</a><a href="https://sakurajima.social/@irfan" title="irfan@sakurajima.social"><img src="https://gnusocial.jp/avatar/252659-48-20240330062350.webp" width="48" height="48" alt="Mika" style="position: absolute; left: 0; top: 0;">Mika</a></section><article><p>There's a huge backdoor (<a href="https://sakurajima.social/tags/CVE" rel="tag">#CVE</a> -2024-3094) allowing remote SSH access (as far as I can tell at this moment) caused by a util called <a href="https://sakurajima.social/tags/xz" rel="tag">#xz</a> affecting a ton of systems (<a href="https://sakurajima.social/tags/Linux" rel="tag">#Linux</a> and <a href="https://sakurajima.social/tags/macOS" rel="tag">#macOS</a>, well not really) and it's causing quite a huge panic. I honestly don't know much about it just yet, but just sharing some pieces to read about the huge vulnerability.<br><br>The person who had maliciously planted this vulnerability into xz-utils, Jia Tan, has made at least 750 contributions to the project over the past 2 years. They even have direct push access to the code repo, allowing them to have pushed commits with forged authors. Being "free" from this vulnerability is not as simple as reverting to a previous version due to just how much and how long they've <i>contributed</i> to the project, and people are rightfully suspicious that this Jia Tan person might have hidden other backdoors in xz.<br><br>Unlike most other vulnerabilities, it's a lot harder to pinpoint versions affected by this but the most likely case is most systems out there, including Macs, have xz installed on their system that are impacted - which at this moment, the info being thrown around is any version past 5.3.1 (latest is 5.6.1).<br><br>🔗 <a href="https://access.redhat.com/security/cve/CVE-2024-3094">https://access.redhat.com/security/cve/CVE-2024-3094</a><br><br>🔗 <a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094">https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094</a><br><br>🔗 <a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users">https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users</a><br><br>🔗 <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2880924#notice-5724242">In conversation</a><time datetime="2024-03-30T15:23:49+09:00" title="Saturday, 30-Mar-2024 15:23:49 JST">about a year ago</time> <span>from <span><a href="https://sakurajima.social/notes/9rh8cgu0ip" rel="external" title="Sent from sakurajima.social via ActivityPub">sakurajima.social</a></span></span><a href="https://sakurajima.social/notes/9rh8cgu0ip">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094">Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 | CISA</a></h5><div></div></header><div></div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: www.redhat.com</div><h5><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users">Urgent security alert for Fedora 41 and Fedora Rawhide users</a></h5><div></div></header><div>Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access.</div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: bugs.debian.org</div><h5><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024">#1068024 - revert to version that does not contain changes by bad actor - Debian Bug report logs</a></h5><div></div></header><div></div><footer></footer></article></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://access.redhat.com/security/cve/CVE-2024-3094">cve-details</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Mika (irfan@sakurajima.social)'s status on Saturday, 30-Mar-2024 15:23:49 JST Mika
There's a huge backdoor (#CVE -2024-3094) allowing remote SSH access (as far as I can tell at this moment) caused by a util called #xz affecting a ton of systems (#Linux and #macOS, well not really) and it's causing quite a huge panic. I honestly don't know much about it just yet, but just sharing some pieces to read about the huge vulnerability.

The person who had maliciously planted this vulnerability into xz-utils, Jia Tan, has made at least 750 contributions to the project over the past 2 years. They even have direct push access to the code repo, allowing them to have pushed commits with forged authors. Being "free" from this vulnerability is not as simple as reverting to a previous version due to just how much and how long they've contributed to the project, and people are rightfully suspicious that this Jia Tan person might have hidden other backdoors in xz.

Unlike most other vulnerabilities, it's a lot harder to pinpoint versions affected by this but the most likely case is most systems out there, including Macs, have xz installed on their system that are impacted - which at this moment, the info being thrown around is any version past 5.3.1 (latest is 5.6.1).

🔗 https://access.redhat.com/security/cve/CVE-2024-3094

🔗 https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

🔗 https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

🔗 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
In conversationabout a year ago from sakurajima.socialpermalink
Attachments
1. No result found on File_thumbnail lookup.
  Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 | CISA
2. Domain not in remote thumbnail source whitelist: www.redhat.com
  Urgent security alert for Fedora 41 and Fedora Rawhide users
  Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access.
3. Domain not in remote thumbnail source whitelist: bugs.debian.org
  #1068024 - revert to version that does not contain changes by bad actor - Debian Bug report logs
4. No result found on File_thumbnail lookup.
  cve-details

Public

Embed Notice

HTML Code

Corresponding Notice