Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News Editorials & Other Articles General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

Nittersing

(6,849 posts)
Fri Mar 29, 2024, 05:14 PM Mar 2024

Backdoor found in widely used Linux utility breaks encrypted SSH connections

"Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.

The compression utility, known as xz Utils, introduced the malicious code in versions ​​5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions—specifically, in Fedora 40 and Fedora Rawhide and Debian testing, unstable and experimental distributions. A stable release of Arch Linux is also affected. That distribution, however, isn't used in production systems.

Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it's not really affecting anyone in the real world,” Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview. “BUT that's only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”

Several people, including two Ars readers, reported that the multiple apps included in the HomeBrew package manager for macOS rely on the backdoored 5.6.1 version of xz Utils. Those apps, one user said, include: aom, cairo, ffmpeg, gcc, glib, harfbuzz, jpeg-xl, leptonica, libarchive, libtiff, little-cms2, numpy, openblas, openjpeg, openvino, pango, python@3.11, python@3.12, tesseract, webp, yt-dlp, zstd. The other user said HomeBrew has now rolled back the utility to version 5.4.6."

I don't use Linux, but thought this might be helpful.

https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

6 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
Backdoor found in widely used Linux utility breaks encrypted SSH connections (Original Post) Nittersing Mar 2024 OP
Updating. usonian Mar 2024 #1
Thank you!! Nittersing Mar 2024 #2
I think this is much worse than most reports would have you believe CloudWatcher Mar 2024 #3
Closed source proprietary software is also vulnerable to these sorts of attacks. hunter Apr 2024 #4
Not condoned, but expected! CloudWatcher Apr 2024 #5
Updates for this LPBBEAR Apr 2024 #6

usonian

(13,773 posts)
1. Updating.
Fri Mar 29, 2024, 06:26 PM
Mar 2024

Here are affected distributions:
https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/
March 29, 2024

Which distros are affected?

Red Hat says that the vulnerable packages are present in Fedora 41 and Fedora Rawhide, and have urged users of those distros to immediately stop using them.

“If you are using an affected distribution in a business setting, we encourage you to contact your information security team for next steps,” they said, and added that no versions of Red Hat Enterprise Linux (RHEL) are affected.

SUSE has released a fix for openSUSE users.

Debian says no stable versions of the distro are affected, but that compromised packages were part of the Debian testing, unstable and experimental distributions, and users of those should update the xz-utils packages.

“The malicious code found in the latest versions of the xz libraries show just how critical it is to have a vigilant and veteran Linux security team monitoring software supply chain channels,” Vincent Danen, VP, Product Security at Red Hat, told Help Net Security.

“Red Hat, along with CISA and other Linux distributions, were able to identify, assess and help remediate this potential threat before it posed a significant risk to the broader Linux community.”

CISA has advised developers and users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable) and to hunt for any malicious activity and report any positive findings to the agency.


UPDATE: Friday, March 29, 15:06 ET

Kali Linux announced that the impact of this vulnerability affected Kali between March 26th and March 29th. If you updated your Kali installation on or after March 26th, applying the latest updates today is crucial to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability.


I don't use RedHat/CentoOS/others[1] but it looks like you use dnf to update (as root, or with sudo)
Post a reply if you know. I remember the days of "yum" (it came from YellowDog Linux, hence the Y)


Debian-like systems:
https://linuxhandbook.com/update-debian/

If you want to update Debian Linux system, here's what you need to do.

Update the local package database cache with:

sudo apt update
And then update all the installed software, kernel and other system components at once using:

sudo apt upgrade
Press Y key when you are asked to confirm.

Combine the above two commands

Alternatively, you can combine the above two commands with the help && operator. You can also provide the conformation automatically using -y:

sudo apt update && sudo apt upgrade -y


Homebrew (commonly used on MacOS)
https://osxdaily.com/2021/02/13/how-update-homebrew-mac/
How to Update Homebrew
Updating Homebrew is pretty straight forward:

brew update

This updates homebrew itself.

You can then upgrade all individual packages and formula with the following:

brew upgrade




Don't know if this affects BSD distributions, but here's the original post:
https://www.openwall.com/lists/oss-security/2024/03/29/4

It includes a downloadable shell script to detect vulnerabilities, but it requires the ldd command, which mac users can get with the command-line utils. It's not in the shipped OS. It's worth reading, actually.

#! /bin/bash

set -eu

# find path to liblzma used by sshd
path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"

# does it even exist?
if [ "$path" == "" ]
then
echo probably not vulnerable
exit
fi

# check for function signature
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410
then
echo probably vulnerable
else
echo probably not vulnerable
fi



[1] Alternatives to RedHat which are similar:
https://www.makeuseof.com/best-red-hat-based-linux-distros/

Noted at wikipedia already
https://en.wikipedia.org/wiki/XZ_Utils#cite_note-Freund-3

Corrections welcome.

Nittersing

(6,849 posts)
2. Thank you!!
Fri Mar 29, 2024, 06:30 PM
Mar 2024

Glad to see someone who knows what they're talking about responding. I'm pretty clueless, but it seemed important.

CloudWatcher

(1,923 posts)
3. I think this is much worse than most reports would have you believe
Sat Mar 30, 2024, 01:01 PM
Mar 2024

I think this is a lot worse than reported. Yes, this attempt was foiled before it got widespread, but the technique they used opens a new front in the war against malware.

(1) This was a years-long effort. Clearly not a random teenage hacker going for kicks (i.e. it was a government group).
(2) It took advantage of the rapidly aging population of open-source package owners & maintainers.

The approach here was to create a useful but fictional volunteer contributor and slowly build up their reputation and credibility until they could be given control of a widely used package. And then to use that power to introduce malware that would be included by large distributions.

This was only discovered because the malware was buggy and affected the performance of the OpenSSH package. If they had been a little bit better at coding the backdoor, it would not have been discovered before being distributed to millions of Linux systems.

But we caught them, why is this so bad? It's bad because there's very little we can do to prevent this style of attack from being used over and over again until we can no longer trust any large open source software system.

If I just stay away from open-source systems like Linux, won't that be enough? No, because every major OS (Windows and Android and Mac and iOS included) include open source software for you. And regardless of how big those companies are, they do not have the people to review and vet every line of source code in the packages they include.

Won't my anti-virus/anti-malware software detect threats like this? Nope. If the malware is done carefully, it'll just look like part of the system.

Aren't you being just a little bit paranoid? Yes. But then I was also around when the Morris Worm took over the net because of a back-door that was introduced by the actual author of the widely used & installed Sendmail program.

"Just because you're paranoid doesn't mean they aren't after you" -- Author Unknown

Some more details:

https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor

hunter

(38,921 posts)
4. Closed source proprietary software is also vulnerable to these sorts of attacks.
Mon Apr 1, 2024, 10:38 AM
Apr 2024

In large corporations like Microsoft, Apple, or Google it's not inconceivable that a few employees have side gigs with national security agencies or organized crime.

These activities might even be condoned as a "cost of doing business."

CloudWatcher

(1,923 posts)
5. Not condoned, but expected!
Mon Apr 1, 2024, 01:21 PM
Apr 2024

Agreed, but at least the big companies have actual security people thinking about such things. The open source community appears (to me) to be much more trusting.

If I were the NSA, CIA, FBI, MI6, FSB, Mossad, MSS (China) and RGB (N. Korea) ... I'd make a priority to get moles in place to access all the larger clouds. End-to-end encryption doesn't protect you if the people making the software are compromised. Google docs, iCloud, AWS, Azure, etc. are all prime targets.

I guess the open source community should take pride in being successful enough to be a target too.

LPBBEAR

(358 posts)
6. Updates for this
Tue Apr 2, 2024, 08:42 AM
Apr 2024

are already being released. If you use a recent Linux distribution just run your updates.

Latest Discussions»Help & Search»Computer Help and Support»Backdoor found in widely ...