PSA: xz/liblzma critical vulnerability

[NotATether]

There is a very serious vulnerability in the xz compression program that was just found and has made its way to versions 5.6.0 and 5.6.1:

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://news.ycombinator.com/item?id=39865810
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

Basically it contains a backdoor to completely bypass your SSH authentication. All signs point to it being planted by a malicious actor running the project. It is undetectable by sanitizers and fuzz testing tools.

Fortunately the major distributions such as Ubuntu had not packaged it yet.

I am aware that most people reading this are not using SSH or have servers for this, but this particular actor has a large footprint in other open source projects so there is no guarantee that local services that you might actually use in your Waller's PC are not affected by a different vulnerability.

[1714584394]

1714584394

[1714584394]

1714584394

[TryNinja]

That’s actually insane. This could have spread to every single Ubuntu/Debian machine with an SSH server in the world and stayed there for years. Imagine having the key to hack basically every server there is (with ssh).

And all it took was a single guy trying to fix some unexpected latency on his machine.

I bet state actor? Maybe CIA or similar.

[ABCbits]

It's one of few times where i'm glad i choose conservative distro like Debian. It's also crazy it took months before it's detected.

I bet state actor? Maybe CIA or similar.

That seems plausible.

[NotATether]

That’s actually insane. This could have spread to every single Ubuntu/Debian machine with an SSH server in the world and stayed there for years. Imagine having the key to hack basically every server there is (with ssh).

And all it took was a single guy trying to fix some unexpected latency on his machine.

I bet state actor? Maybe CIA or similar.

The discovery was a very close timing. Ubuntu was about to release 24.04 LTS in a matter of days. It would have had a devastating effect had the LTS release ship with an SSH backdoor, because it's used on most servers. Debian too.

[BlackHatCoiner]

Do we have access to the repository? Both Larhzu and JiaT75 github accounts are suspended, and their repository is disabled. I tried checking their commits with web archive, but no non-disabled pages were archived (except this, which doesn't reveal anything important).

It's one of few times where i'm glad i choose conservative distro like Debian. It's also crazy it took months before it's detected.

Didn't Debian import it in their packages as Ubuntu?

[NotATether]

Do we have access to the repository? Both Larhzu and JiaT75 github accounts are suspended, and their repository is disabled. I tried checking their commits with web archive, but no non-disabled pages were archived (except this, which doesn't reveal anything important).

There are a few mirrors of the repo linked in the hacker news page, like https://github.com/xz-mirror/xz

[cryptosize]

Basically it contains a backdoor to completely bypass your SSH authentication. All signs point to it being planted by a malicious actor running the project. It is undetectable by sanitizers and fuzz testing tools.

I bet state actor? Maybe CIA or similar.

A rare case of an open-source project being compromised... imagine if this happens to a Bitcoin wallet.

Do we know who exactly committed the code? You need to have privileges to do that.

[NotATether]

A rare case of an open-source project being compromised... imagine if this happens to a Bitcoin wallet.

Do we know who exactly committed the code? You need to have privileges to do that.

Ironically the backdoor was inserted by the maintainer himself, who goes by the name "Jia Tan" (@JiaT75 on github).

The other maintainer took a leave of absence and is probably unaware of all these flying monkeys in his codebase.

[cryptosize]

A rare case of an open-source project being compromised... imagine if this happens to a Bitcoin wallet.

Do we know who exactly committed the code? You need to have privileges to do that.

Ironically the backdoor was inserted by the maintainer himself, who goes by the name "Jia Tan" (@JiaT75 on github).

The other maintainer took a leave of absence and is probably unaware of all these flying monkeys in his codebase.

Yeah, I found more info here:

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

As of 9:00 PM UTC, GitHub has suspended JiaT75’s account. Thanks? They also banned the repository, meaning people can no longer audit the changes made to it without resorting to mirrors. Immensely helpful, GitHub. They also suspended Lasse Collin’s account, which is completely disgraceful.

LOL

[NotATether]

As of 9:00 PM UTC, GitHub has suspended JiaT75’s account. Thanks? They also banned the repository, meaning people can no longer audit the changes made to it without resorting to mirrors. Immensely helpful, GitHub. They also suspended Lasse Collin’s account, which is completely disgraceful.

LOL

I hope Github is busy scrubbing the malicious commits and writing a blog post about it because otherwise the repo ban would be pointless.

[NotATether]

Update: Lasse Collin (original xz maintainer) has released a statement on his website:

This page is short for now but it will get updated as I learn more about the incident. Most likely it will be during the first week of April 2024.

The Git repositories of XZ projects are on git.tukaani.org.

xz.tukaani.org DNS name (CNAME) has been removed. The XZ projects currently don’t have a home page. This will be fixed in a few days.

Facts
-CVE-2024-3094

-XZ Utils 5.6.0 and 5.6.1 release tarballs contain a backdoor. These tarballs were created and signed by Jia Tan.

-Tarballs created by Jia Tan were signed by him. Any tarballs signed by me were created by me.

-GitHub accounts of both me (Larhzu) and Jia Tan are suspended.

-xz.tukaani.org (DNS CNAME) was hosted on GitHub pages and thus is down too. It might be moved to back to the main tukaani.org domain in the near future.

-Only I have had access to the main tukaani.org website, git.tukaani.org repositories, and related files. Jia Tan only had access to things hosted on GitHub, including xz.tukaani.org subdomain (and only that subdomain).

It looks like he was unaware of this happening and he's going to clean up this mess now including most likely talking to Github staff.

[ABCbits]

It's one of few times where i'm glad i choose conservative distro like Debian. It's also crazy it took months before it's detected.

Didn't Debian import it in their packages as Ubuntu?

I just checked my Debian device and it seems they include xz by default. But based on my experience, Debian usually is slower to upgrade their package compared with Ubuntu LTS.

Basically it contains a backdoor to completely bypass your SSH authentication. All signs point to it being planted by a malicious actor running the project. It is undetectable by sanitizers and fuzz testing tools.

I bet state actor? Maybe CIA or similar.

A rare case of an open-source project being compromised... imagine if this happens to a Bitcoin wallet.

I can see that could happen on unpopular wallet software or library used to sign transaction. Imagine if someone compromise signing library to create signed TX with specific k value range.