Hacker superhero and sidekicks saved the Internet this Easter weekend

Jan

Jan

Who's the Boss?
Staff member
Joined
May 24, 2010
Messages
14,789
Reaction score
13,438
Location
The Rabbit Hole
A superhero hacker saved the Internet this weekend

A long con social engineering attack that could have resulted in a large number of Internet servers being backdoored was detected and blocked this weekend thanks to the heroic work of one hacker.

Postgres developer Andres Freund, who is currently employed by Microsoft, stumbled on the issue a few weeks ago when he noticed performance degradation — measured in milliseconds — in a core Linux tool.
 
Gravedigger said:
A big snafu avoided...
My systems is running older xz-utils, luckily.
5.6.0 and 5.6.1 is the affected versions.
Kudos to a dev who picked up on this issue.

Also, most of my systems are running on ARM, so hopefully not affected by this backdoored version.

A detailed writeup of the issue: https://www.openwall.com/lists/oss-security/2024/03/29/4
Click to expand...
I'm also suprised that the fuzzers did not even pick up on the issue, so probably the dev circumvented it by testing his changes against all known fuzzers, and therefore slipped through the cracks.
 
r00igev@@r said:
Where would it require compression in the login daemon?
Click to expand...
The reason is a bit longwinded - dependency of a dependency of extra functionality

It should be noted that the attack only works because Debian and Redhat added functionality to sshd that is not present in it as distributed by its developers. The extra functionality adds systemd interaction, which requires libsystemd which requires liblzma, a component of the (compromised) xz package.

What we know about the xz Utils backdoor that almost infected the world

Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream. See full article...
arstechnica.com arstechnica.com
 
Related thread posted over the weekend on MyBB:

Scary SSH backdoor malware in Linux supply chain: How to find and fix it!

https://pducklin.com/2024/03/30/scary-ssh-backdoor-malware-in-linux-supply-chain-how-to-find-and-fix-it/ A newly-discovered malware implant in the very popular compression library liblzma, known as CVE-2024-3094, makes an exciting but worrying tale We don’t yet know all the details of what...
mybroadband.co.za
 
PsyWulf said:
The reason is a bit longwinded - dependency of a dependency of extra functionality

It should be noted that the attack only works because Debian and Redhat added functionality to sshd that is not present in it as distributed by its developers. The extra functionality adds systemd interaction, which requires libsystemd which requires liblzma, a component of the (compromised) xz package.

What we know about the xz Utils backdoor that almost infected the world

Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream. See full article...
arstechnica.com arstechnica.com
Click to expand...
Lekker live bait for the systemd haters.

Why does libsystemd require liblzma?
 
r00igev@@r said:
Seems it it used to compress the source code? But if that is the case why would it be in the login daemon???
Click to expand...
It affected the login daemon, doesn't mean it was built for it. Like a virus you get from porn sites, it aint porn. Also, many log files are compressed to the .xz format, thus the ease of access to system files.
 
Hmmm.. it also compress the access logs, kind of a perfect crime here
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X