I’m genuinely disturbed that a person who was a core developer could just go rouge.
From what I’ve been reading, it sounds like they were malicious from the very beginning. The work to integrate the malware goes back to 2021. https://boehs.org/node/everything-i-know-about-the-xz-backdoor
It’s an extremely sophisticated attack that was hidden very well, and was only accidentally discovered by someone who noticed that SSH connections were using more CPU power and taking 0.5s longer than they should have. https://mastodon.social/@AndresFreundTec/112180406142695845
From that post, commits set to UTC+0800 and activity between UTC 12-17 indicate that the programmer wasn’t operating from California but from another country starting with C. The name is also another hint.
That could be part of their plan though… Make people think they’re from China when in reality they’re a state-sponsored actor from a different country. Hard to tell at this point. The scary thing is they got very close to sneaking this malware in undetected.
A lot of critical projects are only maintained by one person who may end up burning out, so I’m surprised we haven’t seen more attacks like this. Gain the trust of the maintainer (maybe fix some bugs, reply to some mailing-list posts, etc), take over maintenance, and slowly add some malware one small piece at a time, interspersed with enough legit commits that you become one of the top contributors (and thus people start implicitly trusting you).
Except China is one of the countries involved in cyber warfare
Pretty much every country is engaged in cyber warfare to some degree
It is kind of sad
That’s what states, militaries and other competition-infected minds do. Usually they say they imagine this to protect from it, then it becomes a weapon and “oops all wars”
Yeah, what if they go blue next?
(It’s rogue not rouge)
some people in my mastodon feed are suggesting that the backdoor might have connected out to malicious infrastructure or substituted its own SSH host keys, but I can’t find any clear confirmation. More info as the investigation progresses.
I guess at this point if you’re on Fedora 40 or rawhide clear / regen your host keys, even after xz version rollback
If you are on a affected system I would nuke from orbit.
or substituted its own SSH host keys,
why would the backdoor do that? It would immediately expose itself because every ssh client on the planet warns about changed host keys when connecting.
Perhaps it was a poorly worded way of suggesting that invalidating host keys would invalidate all client keys it could potentially generate? Either way it’s a lot of speculation.
Resetting the keys and SSH config on any potentially compromised host is probably not a terrible idea
Well, there’s also malicious code in the proprietary binary blobs of the drivers and those run with kernel privilege. At least that one we see what it does.
So far I was affected on termux. There is already package update.
Bad title. This is CVE-2024-3094. Run “xz --version” to see if you are affected.
If you go to the post, on the comments, there is someone that is already telling you to run
dnf list xz --installed. So you don’t need to runxzdirectly.“Run the affected binary to see if you have it”
AFAIK it‘s better to use
rpm -q xz xz-libs(copied from the forum replies) to avoid runningxzitself just in case the affected version is already installed
I’m on Void, and I had the malicious version installed. Updating the system downgraded xz to 5.4.6, so it seems they are on it. I’ll be watching discussions to decide if my system might still be compromised.
I would nuke it and rebuild. If nothing else it is a good test of backups
Running Ubuntu 23.10 with xz-utils 5.41 which is unaffected. Versions 5.6.0 and 5.6.1 are the malicious packages. I used Synaptic Package Manager to search for it.
The bad actor had a launchpad bug to pull it into the Ubuntu LTS beta. Serious kudos to the person who discovered it, literally in the nick of time.
Same story with Fedora
What is the name of the software that is affected??
xz is the compromised package, but it in turn compromises ssh authentication
