User Controls
Linux upstream dependency malware
-
2024-04-03 at 7:52 PM UTC
Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux
https://www.openwall.com/lists/oss-security/2024/03/29/4
distributions, and where they have, mostly in pre-release versions.
== Observing Impact on openssh server ==
With the backdoored liblzma installed, logins via ssh become a lot slower.
time ssh nonexistant@…alhost
before:
nonexistant@…alhost: Permission denied (publickey).
before:
real 0m0.299s
user 0m0.202s
sys 0m0.006s
after:
nonexistant@…alhost: Permission denied (publickey).
real 0m0.807s
user 0m0.202s
sys 0m0.006s
openssh does not directly use liblzma. However debian and several other
distributions patch openssh to support systemd notification, and libsystemd
does depend on lzma.
Initially starting sshd outside of systemd did not show the slowdown, despite
the backdoor briefly getting invoked. This appears to be part of some
countermeasures to make analysis harder.Thank you. None of these patches are urgent. I'm on a holiday and only
https://lkml.org/lkml/2024/3/30/188
happened to look at my emails and it seems to be a major mess.
My proper investigation efforts likely start in the first days of
April. That is, I currently know only a few facts which alone are bad
enough.
Info will be updated here: https://tukaani.org/xz-backdoor/
The maintainer of the repo, Lasse Collin, sweede, is on holidays.
Not much seems to be known about the person who committed the malicious code, Jia Tan.
It may be a cute asian girl. All the images when you search for Jia Tan are cute asian girls.
Girls commit to open source ... r-right? -
2024-04-03 at 11:48 PM UTClol yeah, people who commit malware always do it using their own name and account
interesting they added a patch to the makefiles rather than straight up updating the code, seems way more suspicious and like they observed memory locations are going to be different depending on environment, platform etc -
2024-04-07 at 5:42 PM UTCI like Asian girls.
That's all I have for now. -
2024-04-07 at 5:50 PM UTCReading up on this, I realize this was actually a very big close call.
This may have even been a government entity.