Updated #XZ Code Lands In #Linux 6.12

https://www.phoronix.com/news/Linux-6.12-Updated-Embedded

Really good presentation on the #XZ SSH backdoor from earlier in the year by @fr0gger

https://speakerdeck.com/fr0gger/the-xz-backdoor-story

Also, to be super clear nobody should panic about #XZ as the Postgres developer who found this basically caught it quick enough that almost no businesses or devices will be running the code.

So everybody should be chill about this specific issue as that guy saved everybody’s bacon.

To give an idea of the scale of OpenSSH usage, it’s absolutely huge, it dwarfs RDP by a huge margin (think ten times), and had this survived for a long period of time it would have been unbelievably bad.

The sshd backdoor in #XZ is just way beyond my technical ability. There’s so much there, I imagine more than a few conference talks are going to be submitted for it.

My amateur hour view is it’s really well put together (eg you can only execute commands if you have a private key that only the attacker has) and appears to allow remote removal of the backdoor, too. There’s a whole bunch of features which I’m too dumb to get.

Also for me, performance isn’t that bad - I wouldn’t have noticed it.

Linux distribution versions impacted by #XZ backdoor (or not), best list I’ve seen: https://www.rapid7.com/blog/post/2024/04/01/etr-backdoored-xz-utils-cve-2024-3094/

.@amlw wrote a great proof of concept for #XZ to allow code execution via ssh.

Very important note: it doesn’t work in the wild as you need the private key, which only the threat actor(s) have. But you can create your own for exploiting your own servers.

https://github.com/amlweems/xzbot

If you use Microsoft Vulnerability Management, it is false positiving on CVE-2024-3094 aka #XZ backdoor - it is picking up the Cygwin version of XZ as vuln on Windows systems.

The Cygwin packages predate the backdoor and it doesn’t impact Windows, also the file it flags isn’t the backdoor but lzmadec.exe

https://cygwin.com/packages/summary/xz.html

Really good timeline of #XZ backdoor, laying out everything known about what the threat actor was up to: https://research.swtch.com/xz-timeline

Re #XZ attacker - the known threat actor account made various changes across multiple open source projects and documentation.

Library maintainers should not look at those changes in isolation of just that line change, or assume the threat actor only became malicious later. Assume they are very well resourced and acting with broad objectives.

In at least one case they made an existing unknown vulnerability exploitable, and we know they were socially engineering the XZ maintainer years ago.

‘They’ are very likely a multi million dollar operation - see also just the shell script analysis, before you even get to the backdoor (which is much more nuts) https://research.swtch.com/xz-script

The actual SSH backdoor is cryptographically signed so only the threat actor can use it. If you work in threat intelligence and write “foreign” intelligence agency, you might want to look at your bias training.

#XZ

Updated #XZ Code For The Kernel Looks Like It's Ready For #Linux 6.12

https://www.phoronix.com/news/XZ-Update-Linux-6.12-Queue

New Blog Post: The two tales of xz-utils and Crowdstrike.

It's a long blogpost. Just so you know. And it is my PERSONAL take, not Red Hat's. I tried to keep it accessible to non-techies without skimping on the relevant technical details.

Replies to this toot will show up as comments under the blogpost.

https://jan.wildeboer.net/2024/08/xz-v-crowdstrike-presentation/

#xz #crowdstrike #security

Me tiene loco que la backdoor en la DLL #liblzma de #xzutils la descubriera un pavo porque al conectarse por SSH la conexión tardaba un cuarto de segundo más de lo habitual. I mean, quién se fija y se da cuenta de algo así, y cómo lo relaciona con una vulnerabilidad en #xz. Es de locos, me sigue dejando perplejo.

Parece bastante claro que el autor es alguna agencia de inteligencia por la planificación, el nivel y los recursos. Cuentas falsas contribuyendo con código en Github durante años y ganándose reputación como contributors y la confianza del creador de XZ, y con un grado de conocimiento técnico a bajo nivel al alcance de pocos. Una verdadera operación encubierta sostenida en el tiempo, con una duración de años, para instalar una puerta trasera en equipos a nivel planetario.

Viendo las características poco creíbles de la cuenta falsa principal, aparentemente china, yo me decanto por los servicios secretos rusos o estadounidenses, pero es mera especulación.

#ciberseguridad

Unpopular opinion: If your hobby is responsible for running the modern world, you deserve to be paid a living wage for running it.

#xz #expat #libexpat

Alt...

Heather Adkins, VP of Security @ Google: "Unpopular opinion: If your hobby is now responsible for running the modern world, it's no longer just a hobby."