Tinker ☀️Mar 29, 2024

Well this is fucking lovely....

Malicious code was discovered in the upstream tarballs of "xz" which then affects liblzma

Downstream there may be backdoors in various implementations of "sshd".

Versions Affected:

  • Fedora 41
  • Fedora Rawhide
  • openSUSE Tumbleweed
  • Debian testing, unstable, experimental distributions
  • Kali updates between March 26th and March 29th

Original notice here:
https://www.openwall.com/lists/oss-security/2024/03/29/4

Red Hat CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Red Hat Security Blog Post: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Arch Linux Security Post: https://archlinux.org/news/the-xz-package-has-been-backdoored/

Debian Security Post: https://lists.debian.org/debian-security-announce/2024/msg00057.html

openSUSE Security Post: https://news.opensuse.org/2024/03/29/xz-backdoor/

Kali Linux announcement: https://infosec.exchange/@kalilinux/112180505434870941

CISA Advisory: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

Article here: https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

#infosec #linux #foss #hacking #cve20243094 #cve

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

Show threadTinker ☀️Mar 29, 2024

A couple things to think about here:

This appears to be a malicious maintainer - not a compromised account. Meaning the person themselves, coded this in an pushed it out.

So:
1) Did they try and backdoor any other code?
2) Are they part of a greater campaign or is anyone else helping them.

This is a massive breach of trust.

That said! Huge kudos to Andres Freund, Florian Weimer, and others in finding this.

A lot of eyes are on this now. CISA is involved. Major distros are involved, etc. Many eyes and such.

#infosec #linux #foss #hacking #cve20243094 #cve

Georg311Mar 29, 2024
Show threadTinker ☀️

That backdoor in sshd (via xz / liblzma) affects recent versions of Kali Linux:

Kali Linux announced that the impact of this vulnerability affected Kali between March 26th and March 29th. If you updated your Kali installation on or after March 26th, applying the latest updates today is crucial to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability.

More info here:
https://infosec.exchange/@kalilinux/112180505434870941

#infosec #hacking #cve20243094

Kali Linux (@[email protected])

As of the information we have currently, the following is true. Should more information come to light, we will continue to keep this situation updated. The xz package, starting from versions 5.6.0 to 5.6.1, was found to contain a backdoor. This backdoor could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized access to the entire system remotely. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability. More information can be found at https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/ and https://www.openwall.com/lists/oss-security/2024/03/29/4

Infosec Exchange
Mar 29, 2024 at 8:09pmWeb
Show threadEloy.Mar 29, 2024
@tinker lol as if anyone changes the credentials to their kali vm
Show threadS.R. WeaverMar 30, 2024

@tinker To fix the issue, does one just need to update their system?

I thought of delaying updates as part of another issue where Linux would inexplicably freeze using firefox, minetest, and steam.

I havent had it sense:

( Opening steam in terminal.
( Using librefox rathee than firefox
( Uninstalling Minetest.

Curiously the freezing happened on those dates too.

Show threadS.R. WeaverMar 30, 2024
@tinker It seems to largely effect Kali. Mint user.
Show threadTinker ☀️Mar 30, 2024
@lwflouisa - If you were using a system that was affected, updating that system should remove the backdoor. Most distros have rolled back to previous, unaffected, versions.
Show threadS.R. WeaverMar 30, 2024

@tinker I was looking into it and apparently Firefox had its own zero day issue.

I ask as when I used windows often computer would freeze when bacldoor was used.

Show threadTinker ☀️Mar 30, 2024
@lwflouisa oh lovely
Show threadS.R. WeaverMar 30, 2024
@tinker Yea so far no issues in midori or librewolf. I use Eleventy for my music and videos, but the way ublock was interacting with firefox makes me wonder if there are deeper issues.
Show threadgrinMar 31, 2024
@tinker
Also it's s pretty unusual because it can only be used by the attacker since attacks need to be digitally signed to work. Don't get shocked, act calm. Upgrade if required, restart daemons.