backdoor in upstream xz/liblzma leading to ssh server compromise

They noticed that some ssh sessions took 0.5 seconds too long under certain circumstances. 😲

Holy hell that's good QA.

Microsoft employee.
- Definitely not from the team working on search on Windows then.
- Don't see why you're being downvoted, the person in question who discovered this is a postgres maintainer employed by Microsoft.
Well half a second delay is pretty noticeable when you ssh into a machine sitting right next to you. It should be instant. And if it isn't something's off.

Damn, it is actually scary that they managed to pull this off. The backdoor came from the second-largest contributor to xz too, not some random drive-by.

They've been contributing to xz for two years, and commited various "test" binary files.
- It's looking more like a long game to compromise an upstream.
Time to audit all their contributions although it looks like they mostly contribute to xz. I guess we'll have to wait for comments from the rest of the team or if the whole org needs to be considered comprimised.
It would be nice if we could press formal charges
- Assuming that it's just that person, that it's their actual name and that they're in the US...
- ~~there will be federal investigation~~ just speculation if the culprit is a foreign actor

This is a fun one we're gonna be hearing about for a while...

It's fortunate it was discovered before any major releases of non-rolling-release distros were cut, but damn.

That's the scary thing. It looks like this narrowly missed getting into Debian and RH. Downstream downstream that is... everything.

This is the best post I've read about it so far: https://boehs.org/node/everything-i-know-about-the-xz-backdoor

In the fallout, we learn a little bit about mental health in open source.

Reminded me of this, relevant as always, xkcd:
- Yes, exactly.
  
  And looking at you npm : npm
That whole timeline is insane, and the fact that anyone even found this in the totally coincidental way they did is very lucky for the rest of us.

If you're using xz version 5.6.0 or 5.6.1, please upgrade asap, especially if you're using a rolling-release distro like Arch or its derivatives. Arch has rolled out the patched version a few hours ago.

Gentoo just reverted back to the last tar signed by another author than the one seeming responsible for the backdoor. The person has been on the project for years, so one should keep up to date and possibly revert even further back than just from 5.6.*. Gentoo just reverted to 5.4.2.
- Just updated on void and saw the same thing
Backdoor only gets inserted when building RPM or DEB. So while updating frequently is a good idea, it won't change anything for Arch users today.
- Archlinux's XZ was compromised as well.
  
  News post
  
  Git change for not using tarballs from source
- when building RPM or DEB.
  
  Which ones? Everything I run seems to be clear.
  
  https://access.redhat.com/security/cve/CVE-2024-3094
  
  Products / Services Components State
  
  Enterprise Linux 6 xz Not affected
  
  Enterprise Linux 7 xz Not affected
  
  Enterprise Linux 8 xz Not affected
  
  Enterprise Linux 9 xz Not affected
  
  (and thus all the bug-for-bug clones)

Products / Services	Components	State
Enterprise Linux 6	xz	Not affected
Enterprise Linux 7	xz	Not affected
Enterprise Linux 8	xz	Not affected
Enterprise Linux 9	xz	Not affected

The person who found the backdoor : https://mastodon.social/@AndresFreundTec/112180083704606941

Time to bring back the reproducible build hype

Won't help here; this backdoor is entirely reproducible. That's one of the scary parts.
- The backdoor wasn't in the source code, only in the distributed binary. So reproducible builds would have flagged the tar as not coming from what was in Git
- The back door is not in the source code though, so it's not reproducible from source.
Why didn't this become a thing? Surely in 2024, we should be able to build packages from source and sign releases with a private key.
- It's becoming more of a thing but a lot of projects are so old that they haven't been able to fix their entire build process yet
Probally more SLSA which reproducible builds is apart of

Reading the comments here https://news.ycombinator.com/item?id=39865810 it appears that libarchive may be tainted as well.

This is pretty insane. Can't wait for the Darknet Diaries on this one.

Lzma balls

ELI5 what does this mean for the average Linux user? I run a few Ubuntu 22.04 systems (yeah yeah, I know, canonical schmanonical) - but they aren’t bleeding edge, so they shouldn’t exhibit this vulnerability, right?

The average user? Nothing. Mostly it just affects those who get the newest versions of everything.
- In this case I think that's just Fedora and Debian Sid users or so.
  
  The backdoor only activates during DEB or RPM builds, and was quickly discovered so only rolling release distros using either package format were affected.
- It mostly affects/targets the build systems of binary distros - infecting their build machines with this would result in complete compromise of released distro down the line.
apt info xz-utils

Your version is old as balls. Even if you were on Mantic, it would still be old as balls.
- Security through antiquity

Here is the official statement from OpenSUSE: https://news.opensuse.org/2024/03/29/xz-backdoor/

t y for sharing.

#showerthoughts The problem is in upstream and has only entered Debian Sid/unstable. Does this mean that for example bleeding edge Arch (btw) sshd users are compromised already ?

Looks like the 5.6.1-2 release on Arch moved from using the published GitHub releases to just using the git repository directly, which as I understand avoids the exploit (because the obfuscated script to inject the exploit is only present in the packaged tarballs and not the git repo itself)

https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad
- They also believe we (Arch users) are unaffected because this backdoor targeted Debian and Redhat type packaging specifically and also relied on a certain SSH configuration Arch doesn't use. To be honest while it's nice to know we're unaffected, it's not at all comforting that had the exploiter targeted Arch they would have succeeded. Just yesterday I was talking to someone about how much I love rolling release distros and now I'm feeling insecure about it.
  
  More details here: https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/issues/2
Arch is on 5.6.1 as of now: https://archlinux.org/packages/core/x86_64/xz/

We at Nixpkgs have barely evaded having it go to a channel used by users and we don't seem to be affected by the backdoor.
- Arch had a patch rolled out yesterday [1][2][3] that switches to the git repo. On top of that the logic in the runtime shim and build script modifier was orchestrated to target Debian and RPM build systems and environments [4].
  
  [1] https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad
  
  [2] https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/issues/2
  
  [3] https://security.archlinux.org/CVE-2024-3094
  
  [4] https://www.openwall.com/lists/oss-security/2024/03/29/4
The link mentions that it is only ran as part of a debian or RPM package build. Not to mention that on Arch sshd is not linked against liblzma anyways.
Arch has pushed the patched xz just a few hours ago: https://archlinux.org/news/the-xz-package-has-been-backdoored/
- Thanks a bunch.
Homebrew rolled back the release after finding out
- Here's a link to the PR for anyone who's interested

This also affects Fedora 40 and Fedora Rawhide - https://discussion.fedoraproject.org/t/warning-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683

It seems like a RCE, rather an auth bypass once though. https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b

Apparently the backdoor reverts back to regular operation if the payload is malformed or the signature from the attacker's key doesn't verify. Unfortunately, this means that unless a bug is found, we can't write a reliable/reusable over-the-network scanner.

Maybe not. But it does mean that you can write a crawler that slams the door shut for the attacker on any vulnerable systems.

EDIT: Oh, maybe he just means that it reverts for that single invocation.

Damn fine work all around.

I know this is an issue fraught with potential legal and political BS, and it's impossible to check everything without automation these days, but is there an organization that trains and pays people to work as security researchers or QA for open source projects?

Basically, a watchdog group that finds exploitable security vulnerabilities, and works with individuals or vendors to patch them? Maybe make it a publicly owned and operated group with mandatory reporting of some kind. An international project funded by multiple governments, where it's harder for a single point of influence to hide exploits, abuse secrets, or interfere with the researchers? They don't own or control any code, just find security issues and advise.

I don't know.

Just thinking that modern security is getting pretty complicated, with so many moving parts and all.

And you know what? Doing updates once a week saved me from updating to this version :)

I upgraded to 5.6.0-1 on the 28th Februar already. Over a month ago. On a server. That's the first time Arch testing has fucked me so hard lol.
- You probably are fairly safe. Yeah, okay, from a purely-technical standpoint, your server was wide-open to the Internet. But unless some third party managed to identify and leverage the backdoor in the window between you deploying it and it being fixed, only the (probably state-backed) group who are doing this would have been able to make use of it. They probably aren't going to risk exposing their backdoor by exploiting it on your system unless they believe that you have something that would be really valuable to them.
  
  Maybe if you're a critical open-source developer, grabbing your signing keys or other credentials might be useful, given that they seem to be focused on supply-chain attacks, but for most people, they probably just aren't worth the risk. Only takes them hitting some system with an intrusion-detection system that picks up on the breakin, them leaving behind traces, and some determined person tracking down what happened, and they've destroyed their exploit.
- Having arch has benefits because of more up to date packages but ofc as it happened to you, it introduces more risks

could a Flatpak contain one of the backdoored builds of xz or liblzma? Is there a way to check? Would such a thing be exploitable, or does this backdoor only affect ssh servers?

The base runtime pretty much every Flatpak uses includes xz/liblzma, but none of the affected versions are included. You can poke around in a base runtime shell with flatpak run --command=sh org.freedesktop.Platform//23.08 or similar, and check your installed runtimes with flatpak list --runtime.

23.08 is the current latest version used by most apps on Flathub and includes xz 5.4.6. 22.08 is an older version you might also still have installed and includes xz 5.2.12. They're both pre-backdoor.

It seems there's an issue open on the freedesktop-sdk repo to revert xz to an even earlier version predating the backdoorer's significant involvement in xz, which some other distros are also doing out of an abundance of caution.

So, as far as we know: nothing uses the backdoored version, even if it did use that version it wouldn't be compiled in (since org.freedesktop.Platform isn't built using Deb or RPM packaging and that's one of the conditions), even if it was compiled in it would to our current knowledge only affect sshd, the runtime doesn't include an sshd at all, and they're still being extra cautious anyway.

One caveat: There is an unstable version of the runtime that does have the backdoored version, but that's not used anywhere (I don't believe it's allowed on Flathub since it entirely defeats the point of it).

Holly shit

Some no-name came and without any problems asked to become a maintainer in a project used in almost any distro, took it over, put a backdoor in there and no one had any questions? In this case, everything turned out thanks to pure chance. Noname screwed up his backdoor, which attracted the attention of a guy from Microsoft, and out of boredom, he dug up what was what. And if I hadn’t messed up, or that guy from Microsoft decided to go drink beer instead of poking around in the xz code, then no one would have discovered anything. It’s scary to imagine how many of these nonames are sitting in all these thousands of open source projects, waiting in the wings to roll out a malicious patch.

Since the actual operation of the liblzma SSH backdoor payload is still unknown, there's a protocol for securing your impacted systems:

• Consider all data, including key material and secrets on the impacted system as compromised. Expand the impact to other systems, as needed (for example: if a local SSH key is used to access a remote system then the remote system must be considered impacted as well, within the scope the key provides).

• Wipe the impacted host and reinstall it from scratch. Use known good install that does not contain the malicious payload. Generate new keys and passwords. Do not reuse any from the impacted systems.

• Restore configuration and data from backups, but from before the time the malicious liblzma package was installed. However, be careful not to allow potentially leaked credentials or keys to have access to the newly installed system (for example via $HOME/.ssh/authorized_keys).

This handles the systems themselves. Unfortunately any passwords and other credentials stored, accessed or processed with the impacted systems must be considered compromised as well. Change passwords on web sites and other services as needed. Consider the fact that the attacker may have accessed the services and added ways to restore access via for example email address or phone number in their control. Check all information stored on the services for correctness.

This is a lot of work, certainly much more than just upgrading the liblzma package. This is the price you have to pay to stay safe. Just upgrading your liblzma package and hoping for the best is always an option, too. It’s up to you to decide if this is a risk worth taking.

This recovery protocol might change somewhat once the actual operation of the payload is figured out. There might be situations where the impact could be more limited.

As an example: If it turns out that the payload is fully contained and only allows unauthorized remote access via the tampered sshd, and the host is not directly accessible from the internet (the SSH port is not open to internet) this would mean that it might be possible to clean up the system locally without full reinstall.

However, do note that the information stored on the system might have still been leaked to outside world. For example leaked ssh keys without a passphrase could still afford the attacker access to remote systems.

This is a long con, and honestly the only people at fault are the bad actors themselves. Assuming Jia Tan's GitHub identity and pgp key weren't compromised by someone else, this backdoor appears to be the culmination of three years of work.

Is this only happened with SSH, or other network facing services using liblzma too?

We know that sshd is targeted but we don't know the full extent of the attack yet.
- Also, even aside from the attack code here having unknown implications, the attacker made extensive commits to liblzma over quite a period of time, and added a lot of binary test files to the xz repo that were similar to the one that hid the exploit code here. He also was signing releases for some time prior to this, and could have released a signed tarball that differed from the git repository, as he did here. The 0.6.0 and 0.6.1 releases were contained to this backdoor aimed at sshd, but it's not impossible that he could have added vulnerabilities prior to this. Xz is used during the Debian packaging process, so code he could change is active during some kind of sensitive points on a lot of systems.
  
  It is entirely possible that this is the first vulnerability that the attacker added, and that all the prior work was to build trust. But...it's not impossible that there were prior attacks.
The malicious code attempts to hook in to libcrypto, so potentially other services that use libcrypto could be affected too. I don't think extensive research has been done on this yet.

SSH doesn't even use liblzma. It's pulling in the malicious code via libsystemd, which does use liblzma.

Edit: "crypto" meaning cryptography of course, not cryptocurrency.

I will laugh out loud if the “fixed” binary contains a second backdoor, but one of better quality. It’s reminiscent of a poorly hidden small joint, which is naturally found, and then bargaining, apologizing and making amends begin. Although now it is generally not clear where the code is more proven.