Lawrence Person's BattleSwarm Blog 4/1/2024
A newly discovered backdoor found in the xz liblzma library of XZ Utils, the XZ format compression utilities included in most Linux distributions, targets the RSA implementation of OpenSSH.
For those outside of tech, that sentence was an unreadable jumble of acronyms. For those inside tech, a chill probably ran down their spine, as those technologies are everywhere. Anytime anyone buys something online, they’re going to be using SSH to create a secure channel to pass transaction information. Depending on how many distros are using that library, the consequence range from “bad” to “really, really bad.”
Details: A vulnerability (CVE-2024-3094) in XZ Utils, the XZ format compression utilities included in most Linux distributions, may “enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely,” Red Hat warns.
The cause of the vulnerability is actually malicious code present in versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) of the xz libraries, which was accidentally found by Andres Freund, a PostgreSQL developer and software engineer at Microsoft.
“After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer: The upstream xz repository and the xz tarballs have been backdoored,” he shared via the oss-security mailing list.
According to Red Hat, the malicious injection in the vulnerable versions of the libraries is obfuscated and only included in full in the download package.
More:
https://www.battleswarmblog.com/?p=57646
