kaleissin@sopuli.xyz
on 29 Mar 2024 23:17
nextcollapse
Bad title. This is CVE-2024-3094. Run “xz --version” to see if you are affected.
unionagainstdhmo@aussie.zone
on 29 Mar 2024 23:45
nextcollapse
Yeah that’s just the title from the thread over on the Fedora forum
InnerScientist@lemmy.world
on 29 Mar 2024 23:51
collapse
Can’t you edit it?
unionagainstdhmo@aussie.zone
on 30 Mar 2024 08:41
collapse
Yes but that would be disingenuous. The current title better captures the urgency of the situation
1henno1@feddit.de
on 29 Mar 2024 23:46
nextcollapse
AFAIK it‘s better to use rpm -q xz xz-libs (copied from the forum replies) to avoid running xz itself just in case the affected version is already installed
ryannathans@aussie.zone
on 29 Mar 2024 23:55
nextcollapse
If you go to the post, on the comments, there is someone that is already telling you to run dnf list xz --installed. So you don’t need to run xz directly.
If you are checking out the extent of damage on your system do not use ldd to check the links.
You can inadvertently executed the exploit this way.
loops@beehaw.org
on 30 Mar 2024 00:52
nextcollapse
Running Ubuntu 23.10 with xz-utils 5.41 which is unaffected. Versions 5.6.0 and 5.6.1 are the malicious packages. I used Synaptic Package Manager to search for it.
lengau@midwest.social
on 30 Mar 2024 16:09
nextcollapse
On Ubuntu the only affected people were those running the prerelease of Ubuntu 24.04 who had installed the update from the proposed pocket.
Bitrot@lemmy.sdf.org
on 30 Mar 2024 16:49
collapse
The bad actor had a launchpad bug to pull it into the Ubuntu LTS beta. Serious kudos to the person who discovered it, literally in the nick of time.
possiblylinux127@lemmy.zip
on 30 Mar 2024 23:30
collapse
I’m on Void, and I had the malicious version installed. Updating the system downgraded xz to 5.4.6, so it seems they are on it. I’ll be watching discussions to decide if my system might still be compromised.
possiblylinux127@lemmy.zip
on 30 Mar 2024 23:29
nextcollapse
I would nuke it and rebuild. If nothing else it is a good test of backups
No, this is just my personal laptop. I don’t even have access to an IP address I could enable port-forwarding on.
gnuplusmatt@reddthat.com
on 30 Mar 2024 04:10
nextcollapse
some people in my mastodon feed are suggesting that the backdoor might have connected out to malicious infrastructure or substituted its own SSH host keys, but I can’t find any clear confirmation. More info as the investigation progresses.
I guess at this point if you’re on Fedora 40 or rawhide clear / regen your host keys, even after xz version rollback
Deathcrow@lemmy.ml
on 30 Mar 2024 07:32
nextcollapse
or substituted its own SSH host keys,
why would the backdoor do that? It would immediately expose itself because every ssh client on the planet warns about changed host keys when connecting.
gnuplusmatt@reddthat.com
on 30 Mar 2024 08:56
collapse
Perhaps it was a poorly worded way of suggesting that invalidating host keys would invalidate all client keys it could potentially generate? Either way it’s a lot of speculation.
Resetting the keys and SSH config on any potentially compromised host is probably not a terrible idea
possiblylinux127@lemmy.zip
on 30 Mar 2024 23:29
collapse
If you are on a affected system I would nuke from orbit.
gnuplusmatt@reddthat.com
on 31 Mar 2024 00:04
collapse
Nuke from orbit might be an overreaction, if you need that machine perhaps disable ssh or turn the machine off until later next week when the postmortems happen. If you need that trusted machine now, then yes fresh install
possiblylinux127@lemmy.zip
on 31 Mar 2024 00:13
collapse
Honestly doing a fresh install is a good test of your recovery abilities. You should always have a way to restore critical content in an emergency
afterthoughts@lemmy.ca
on 31 Mar 2024 17:40
collapse
I feel legitimately sorry for anyone who takes your rhetoric to heart.
Try not to let these 🧩’s pull you down rabbit holes, guys.
possiblylinux127@lemmy.zip
on 30 Mar 2024 05:02
nextcollapse
I’m genuinely disturbed that a person who was a core developer could just go rogue.
It’s an extremely sophisticated attack that was hidden very well, and was only accidentally discovered by someone who noticed that rejected SSH connections (eg invalid key or password) were using more CPU power and taking 0.5s longer than they should have. mastodon.social/…/112180406142695845
Moonrise2473@lemmy.ml
on 30 Mar 2024 08:14
nextcollapse
Unrelated, I really like the idea that the author of that blog post to place the favicon near each link
Moonrise2473@lemmy.ml
on 30 Mar 2024 08:18
collapse
From that post, commits set to UTC+0800 and activity between UTC 12-17 indicate that the programmer wasn’t operating from California but from another country starting with C. The name is also another hint.
That could be part of their plan though… Make people think they’re from China when in reality they’re a state-sponsored actor from a different country. Hard to tell at this point. The scary thing is they got very close to sneaking this malware in undetected.
A lot of critical projects are only maintained by one person who may end up burning out, so I’m surprised we haven’t seen more attacks like this. Gain the trust of the maintainer (maybe fix some bugs, reply to some mailing-list posts, etc), take over maintenance, and slowly add some malware one small piece at a time, interspersed with enough legit commits that you become one of the top contributors (and thus people start implicitly trusting you).
Edit: Based on this analysis, they may have been based in a European timezone and just changed their timezone to UTC+8 before committing to Git to make it look like they were in China: …substack.com/…/xz-backdoor-times-damned-times-an…. Their commits were usually between 9 am and 6 pm Eastern European Time, and there are a few commits where the timezone was set to UTC+2 instead of UTC+8.
possiblylinux127@lemmy.zip
on 30 Mar 2024 16:46
collapse
Except China is one of the countries involved in cyber warfare
intrapt@sh.itjust.works
on 30 Mar 2024 22:55
nextcollapse
Pretty much every country is engaged in cyber warfare to some degree
possiblylinux127@lemmy.zip
on 30 Mar 2024 23:01
collapse
It is kind of sad
interdimensionalmeme@lemmy.ml
on 30 Mar 2024 23:24
collapse
That’s what states, militaries and other competition-infected minds do.
Usually they say they imagine this to protect from it, then it becomes a weapon and “oops all wars”
possiblylinux127@lemmy.zip
on 31 Mar 2024 00:02
collapse
I hate to be the bringer of bad news for you but everyone is “completion minded” as you say. That’s how the world works
interdimensionalmeme@lemmy.ml
on 31 Mar 2024 12:32
nextcollapse
No that’s a poisonous ideology that maskerades as normal.
Heavily, aggressively involved in cyber activities. Previous Chinese attempts were unveiled by similar small gotchas.
Arguably that’s hard to prove, and it could be NK, India, the NSA, etc., but it’s not hard to believe this was part of another stream of attempts. Low ball, give it to the new guy, sorts of stuff.
US fed gov loves redhat for example, and getting into Fedora is how you get into RHEL
Based on this analysis, they may have been based in a European timezone and just changed their timezone to UTC+8 before committing to Git to make it look like they were in China: …substack.com/…/xz-backdoor-times-damned-times-an…. Their commits were usually between 9 am and 6 pm Eastern European Time, and there are a few commits where the timezone was set to UTC+2 instead of UTC+8.
stardreamer@lemmy.blahaj.zone
on 31 Mar 2024 00:59
collapse
According to this post, the person involved exposed a different name at one point.
Cheong is not a Pingyin name. It uses Romanization instead. Assuming that this isn’t a false trail (unlikely, why would you expose a fake name once instead of using it all the time?) that cuts out China (Mainland) and Singapore which use the Pingyin system. Or somebody has a time machine and grabbed this guy before 1956.
Likely sources of the name would be a country/Chinese administrative zone that uses Chinese and Romanization. Which gives us Taiwan, Macau, or Hong Kong, all of which are in GMT+8. Note that two of these are technically under PRC control.
Realistically I feel this is just a rogue attacker instead of a nation state. The probability of China 1. Hiring someone from these specific regions 2. Exposing a non-pinying full name once on purpose is extremely low. Why bother with this when you have plenty of graduates from Tsinghua in Beijing? Especially after so many people desperate for jobs after COVID.
Moonrise2473@lemmy.ml
on 30 Mar 2024 08:21
nextcollapse
I’m kinda hoping it was just that a state sponsored attacker showed up on their door and said “include this snippet or else…” otherwise it’s terrifying thinking of someone planning some long con like this
We are all relying on the honesty of a few overworked volunteers…
possiblylinux127@lemmy.zip
on 30 Mar 2024 16:43
collapse
They could of been working for Russia or someone else
Commiunism@lemmy.wtf
on 30 Mar 2024 17:31
nextcollapse
Damn, I had a malicious version installed on my Arch machine. I’ve since done a system update which removes the backdoor, but looking more into it, it does seem that only fedora and debian(?) are affected/targeted but better safe than sorry.
afterthoughts@lemmy.ca
on 31 Mar 2024 17:36
collapse
I guess this is one of those instances where Manjaro holding back packages makes it more secure than Arch, not less.
IsoSpandy@lemm.ee
on 30 Mar 2024 17:35
nextcollapse
I am looking at these gaggle of posts and all of lemmy is flooded with this and then think that there is an entire Spyware OS on the other side… Which who knows what code it runs and people are chill about it. I am so thankful for this community.
delirious_owl@discuss.online
on 30 Mar 2024 18:16
nextcollapse
What is the name of the software that is affected??
thatsnothowyoudoit@lemmy.ca
on 30 Mar 2024 21:17
nextcollapse
In turn it compromises ssh authentication allows remote code execution via system(); if the connecting SSH certificate contains the backdoor key. No user account required. Nothing logged anywhere you’d expect. Full root code execution.
It’s pretty clear this is a state actor, targeting a dependency of one of the most widely used system control software on Linux systems. There are likely tens or hundreds of other actors doing the exact same thing. This one was detected purely by chance, as it wasn’t even in the code for ssh.
If people ever wonder how cyber warfare could potentially cause a massive blackout and communications system interruption - this is how.
afterthoughts@lemmy.ca
on 31 Mar 2024 17:35
collapse
MadBigote@lemmy.world
on 30 Mar 2024 18:21
collapse
Microsoft Edge.
interdimensionalmeme@lemmy.ml
on 30 Mar 2024 23:21
nextcollapse
Well, there’s also malicious code in the proprietary binary blobs of the drivers and those run with kernel privilege.
At least that one we see what it does.
could this be a nation-state attack? since jiat75 spent multiple years developing a fake persona and it seems like a lot of effort was put into this
prettydarknwild@lemmy.world
on 02 Apr 2024 05:41
collapse
probably some agent from the country that starts with R, or from that other country that starts with C, or from one of those silly three-letter organizations
This happens in close source software too. You just don’t find out about it until it gets bad enough.
HowManyNimons@lemmy.world
on 31 Mar 2024 17:02
collapse
USE WINDOWS.
unionagainstdhmo@aussie.zone
on 01 Apr 2024 00:27
nextcollapse
No thanks. Lol. How many backdoors exist in Windows because we don’t see the source? And if something is found they’ll probably keep quiet about it. Happy April Fools’ a whole day dedicated to people like you
HowManyNimons@lemmy.world
on 01 Apr 2024 07:24
collapse
Lol triggered.
RageAgainstTheRich@lemmy.world
on 01 Apr 2024 10:59
collapse
“No you are wrong.”
YoU aRe So tRiGgErEd! 🤓
Dumb dumb.
HowManyNimons@lemmy.world
on 01 Apr 2024 11:07
collapse
The more times you ad-hom me, the weepier you look.
RageAgainstTheRich@lemmy.world
on 01 Apr 2024 11:26
collapse
🤔
prettydarknwild@lemmy.world
on 01 Apr 2024 04:00
collapse
if this happened on windows probably no one would have noticed it until a large cyberattack happened, also, using that logic no one should be using CPU’s created after 1995 due to meltdown / spectre
HowManyNimons@lemmy.world
on 01 Apr 2024 07:26
collapse
Hahaha irritating isn’t it?
prettydarknwild@lemmy.world
on 02 Apr 2024 04:47
collapse
Im not irritated, im saying that your logic is flawed, stop using some software piece due to a vulnerability is at least dumb, every software will have at least one, open source or not, we are humans, we commit errors, example: the SMB vulnerability that allowed the quick spread of WannaCry in 2017, and that was on Windows, and actually we are lucky that this happened on open source software and not in some big corporation privative software, if that was the case, we wouldnt be able to know about the backdoor until a large cyberattack happened
threaded - newest
Bad title. This is CVE-2024-3094. Run “xz --version” to see if you are affected.
Yeah that’s just the title from the thread over on the Fedora forum
Can’t you edit it?
Yes but that would be disingenuous. The current title better captures the urgency of the situation
AFAIK it‘s better to use
rpm -q xz xz-libs(copied from the forum replies) to avoid runningxzitself just in case the affected version is already installed“Run the affected binary to see if you have it”
If you go to the post, on the comments, there is someone that is already telling you to run
dnf list xz --installed. So you don’t need to runxzdirectly.If you are checking out the extent of damage on your system do not use
lddto check the links.You can inadvertently executed the exploit this way.
Running Ubuntu 23.10 with xz-utils 5.41 which is unaffected. Versions 5.6.0 and 5.6.1 are the malicious packages. I used Synaptic Package Manager to search for it.
On Ubuntu the only affected people were those running the prerelease of Ubuntu 24.04 who had installed the update from the
proposedpocket.The bad actor had a launchpad bug to pull it into the Ubuntu LTS beta. Serious kudos to the person who discovered it, literally in the nick of time.
Same story with Fedora
Using the F40 preview with KDE and a regular update from Discover rolled xz back to the known good version 5.4.6
I’m on Void, and I had the malicious version installed. Updating the system downgraded xz to 5.4.6, so it seems they are on it. I’ll be watching discussions to decide if my system might still be compromised.
I would nuke it and rebuild. If nothing else it is a good test of backups
Did you have SSH open to the internet?
.
No, this is just my personal laptop. I don’t even have access to an IP address I could enable port-forwarding on.
some people in my mastodon feed are suggesting that the backdoor might have connected out to malicious infrastructure or substituted its own SSH host keys, but I can’t find any clear confirmation. More info as the investigation progresses.
I guess at this point if you’re on Fedora 40 or rawhide clear / regen your host keys, even after xz version rollback
why would the backdoor do that? It would immediately expose itself because every ssh client on the planet warns about changed host keys when connecting.
Perhaps it was a poorly worded way of suggesting that invalidating host keys would invalidate all client keys it could potentially generate? Either way it’s a lot of speculation.
Resetting the keys and SSH config on any potentially compromised host is probably not a terrible idea
If you are on a affected system I would nuke from orbit.
Nuke from orbit might be an overreaction, if you need that machine perhaps disable ssh or turn the machine off until later next week when the postmortems happen. If you need that trusted machine now, then yes fresh install
Honestly doing a fresh install is a good test of your recovery abilities. You should always have a way to restore critical content in an emergency
I feel legitimately sorry for anyone who takes your rhetoric to heart.
Try not to let these 🧩’s pull you down rabbit holes, guys.
I’m genuinely disturbed that a person who was a core developer could just go rogue.
From what I’ve been reading, it sounds like they were malicious from the very beginning. The work to integrate the malware goes back to 2021. boehs.org/…/everything-i-know-about-the-xz-backdo…
It’s an extremely sophisticated attack that was hidden very well, and was only accidentally discovered by someone who noticed that rejected SSH connections (eg invalid key or password) were using more CPU power and taking 0.5s longer than they should have. mastodon.social/…/112180406142695845
Unrelated, I really like the idea that the author of that blog post to place the favicon near each link
From that post, commits set to UTC+0800 and activity between UTC 12-17 indicate that the programmer wasn’t operating from California but from another country starting with C. The name is also another hint.
That could be part of their plan though… Make people think they’re from China when in reality they’re a state-sponsored actor from a different country. Hard to tell at this point. The scary thing is they got very close to sneaking this malware in undetected.
A lot of critical projects are only maintained by one person who may end up burning out, so I’m surprised we haven’t seen more attacks like this. Gain the trust of the maintainer (maybe fix some bugs, reply to some mailing-list posts, etc), take over maintenance, and slowly add some malware one small piece at a time, interspersed with enough legit commits that you become one of the top contributors (and thus people start implicitly trusting you).
Edit: Based on this analysis, they may have been based in a European timezone and just changed their timezone to UTC+8 before committing to Git to make it look like they were in China: …substack.com/…/xz-backdoor-times-damned-times-an…. Their commits were usually between 9 am and 6 pm Eastern European Time, and there are a few commits where the timezone was set to UTC+2 instead of UTC+8.
Except China is one of the countries involved in cyber warfare
Pretty much every country is engaged in cyber warfare to some degree
It is kind of sad
That’s what states, militaries and other competition-infected minds do. Usually they say they imagine this to protect from it, then it becomes a weapon and “oops all wars”
I hate to be the bringer of bad news for you but everyone is “completion minded” as you say. That’s how the world works
No that’s a poisonous ideology that maskerades as normal.
No, it simply isn’t. And even if it were true, there are people like me, who will gladly only be competitive in games and sports.
Heavily, aggressively involved in cyber activities. Previous Chinese attempts were unveiled by similar small gotchas.
Arguably that’s hard to prove, and it could be NK, India, the NSA, etc., but it’s not hard to believe this was part of another stream of attempts. Low ball, give it to the new guy, sorts of stuff.
US fed gov loves redhat for example, and getting into Fedora is how you get into RHEL
Based on this analysis, they may have been based in a European timezone and just changed their timezone to UTC+8 before committing to Git to make it look like they were in China: …substack.com/…/xz-backdoor-times-damned-times-an…. Their commits were usually between 9 am and 6 pm Eastern European Time, and there are a few commits where the timezone was set to UTC+2 instead of UTC+8.
According to this post, the person involved exposed a different name at one point.
boehs.org/…/everything-i-know-about-the-xz-backdo…
Cheong is not a Pingyin name. It uses Romanization instead. Assuming that this isn’t a false trail (unlikely, why would you expose a fake name once instead of using it all the time?) that cuts out China (Mainland) and Singapore which use the Pingyin system. Or somebody has a time machine and grabbed this guy before 1956.
Likely sources of the name would be a country/Chinese administrative zone that uses Chinese and Romanization. Which gives us Taiwan, Macau, or Hong Kong, all of which are in GMT+8. Note that two of these are technically under PRC control.
Realistically I feel this is just a rogue attacker instead of a nation state. The probability of China 1. Hiring someone from these specific regions 2. Exposing a non-pinying full name once on purpose is extremely low. Why bother with this when you have plenty of graduates from Tsinghua in Beijing? Especially after so many people desperate for jobs after COVID.
I’m kinda hoping it was just that a state sponsored attacker showed up on their door and said “include this snippet or else…” otherwise it’s terrifying thinking of someone planning some long con like this
We are all relying on the honesty of a few overworked volunteers…
They could of been working for Russia or someone else
Or even a criminal organization.
I doubt it. Criminal organizations aren’t normally going around sabotaging things as that would shoot them in there own foot.
Yeah, what if they go blue next?
(It’s rogue not rouge)
I’m pretty sure you just said the same word twice
In case you’re not trolling:
en.wikipedia.org/wiki/Rouge
en.wikipedia.org/wiki/Rogue
Damn, I had a malicious version installed on my Arch machine. I’ve since done a system update which removes the backdoor, but looking more into it, it does seem that only fedora and debian(?) are affected/targeted but better safe than sorry.
I guess this is one of those instances where Manjaro holding back packages makes it more secure than Arch, not less.
I am looking at these gaggle of posts and all of lemmy is flooded with this and then think that there is an entire Spyware OS on the other side… Which who knows what code it runs and people are chill about it. I am so thankful for this community.
What is the name of the software that is affected??
Hard to tell from first glance but my guess would be this is fallout from the ongoing
xzdrama. Here: www.openwall.com/lists/oss-security/2024/03/29/4Also: arstechnica.com/…/backdoor-found-in-widely-used-l…
.
xz is the compromised package, but it in turn compromises ssh authentication
In turn it
compromises ssh authenticationallows remote code execution via system(); if the connecting SSH certificate contains the backdoor key. No user account required. Nothing logged anywhere you’d expect. Full root code execution.There is also a killswitch hard-coded into it, so it doesn’t affect machines of whatever state actor developed it.
It’s pretty clear this is a state actor, targeting a dependency of one of the most widely used system control software on Linux systems. There are likely tens or hundreds of other actors doing the exact same thing. This one was detected purely by chance, as it wasn’t even in the code for ssh.
If people ever wonder how cyber warfare could potentially cause a massive blackout and communications system interruption - this is how.
You mean thousands?
That was supposed to be or, not of.
Microsoft Edge.
Well, there’s also malicious code in the proprietary binary blobs of the drivers and those run with kernel privilege. At least that one we see what it does.
could this be a nation-state attack? since jiat75 spent multiple years developing a fake persona and it seems like a lot of effort was put into this
probably some agent from the country that starts with R, or from that other country that starts with C, or from one of those silly three-letter organizations
Makes you wonder how many of these are out there that have not been found?
Github has been turning into malwarehub.
And the one main issue with FOSS rears its ugly head – freedom of contribution also means freedom of bad contributions.
This happens in close source software too. You just don’t find out about it until it gets bad enough.
USE WINDOWS.
No thanks. Lol. How many backdoors exist in Windows because we don’t see the source? And if something is found they’ll probably keep quiet about it. Happy April Fools’ a whole day dedicated to people like you
Lol triggered.
“No you are wrong.” YoU aRe So tRiGgErEd! 🤓
Dumb dumb.
The more times you ad-hom me, the weepier you look.
🤔
if this happened on windows probably no one would have noticed it until a large cyberattack happened, also, using that logic no one should be using CPU’s created after 1995 due to meltdown / spectre
Hahaha irritating isn’t it?
Im not irritated, im saying that your logic is flawed, stop using some software piece due to a vulnerability is at least dumb, every software will have at least one, open source or not, we are humans, we commit errors, example: the SMB vulnerability that allowed the quick spread of WannaCry in 2017, and that was on Windows, and actually we are lucky that this happened on open source software and not in some big corporation privative software, if that was the case, we wouldnt be able to know about the backdoor until a large cyberattack happened