XZ Utils Backdoor
114 points by spaam 1 year ago | 16 comments- publius_0xf3 1 year agoWhen all this is over and Collin is in the right state of mind, I'd appreciate if they could shed some light on the social engineering side of this exploit. i.e. the process by which the intruder introduced themselves, gained and exploited their trust, any warning signs or red flags, etc.
Their experience could make for a valuable lesson and prevent future occurrences.
- hintymad 1 year agoFrom what I read, it looks it was not really social engineering per se but the good old way of earning trust, just like any ordinary engineer: the intruder joined the project three years ago and started to contributed patches. He also made good suggestions on design changes. Eventually he became a committer because he consistently made value contributions to the project.
P.S., this does not look like an individual behavior. It's hard to imagine that an individual would spend three years just to plant a backdoor in sshd.
- puffybuf 1 year agoIt looks like he made multiple sock puppet accounts talking to himself on the mailing lists: https://boehs.org/node/everything-i-know-about-the-xz-backdo...
He made a sock puppet asking debian to update the package in 'unstable'. (along with other package update requests so it wouldn't look suspicious).
- em-bee 1 year agogiven how widespread sshd is, i'd think it is realistic because the payoff would just be worth it if successful. the whole thing is also complex enough that it would take a while to develop. the attacker starts learning the internals of xz and in the process they develop the skills to contribute patches. so development of the attack and gaining trust go hand in hand.
- lamontcg 1 year agoI mean that is still social engineering, it is just really long-game social engineering.
And IDK that we've entirely ruled out that Jia Tan didn't wind up being blackmailed or coerced or something -- although if they were really running sockpuppets to get themselves added to the project up front that is probably less likely.
- puffybuf 1 year ago
- hintymad 1 year ago
- treffer 1 year agoThere has been a lot said to not throw shit at Lasse Collin. This post is reassuring.
It was said he is on an internet break at the moment, so I hope this doesn't ruin weeks for him. It's thankless enough to maintain something like xz.
- wooque 1 year agoHow do we know this is real Lasse Collin and not the same person behind Jia Tan persona, who now tries to deescalate and make it look like original maintainer is back in charge?
- cpach 1 year agoMain thread here: https://news.ycombinator.com/item?id=39865810
- 1 year ago
- Alifatisk 1 year agoWhat can one do after having this installed? What's the consequences for a machine with this installed but not connected to the WAN?
- arthur2e5 1 year agoNo known consequence, assuming...
(1) changing the RSA decrypt function in OpenSSH is all the code hidden in crc64 does: that's the only known behavior, but we don't know what the changed function does besides letting some authentication through, nor do we know if there are other things it does
(2) there's no malicious machine in your LAN exploiting the RSA decrypt to log onto your sshd: nobody has seen one yet, but it doesn't mean there's no such thing.
If you are not using a distro that does dpkg or rpm, or if your machine is not x86-64, you're free from the "code hidden in crc64", the one that targets sshd, CVE-2024-3094. Are there unknown backdoors? Who knows. Do we count the landlock sabotage as a backdoor?
It's hard to deal with unknowns. Assume the worst, maybe, but what even is the worst?
- treffer 1 year agoWell, I am skeptical about (2).
It is unclear what exploiting means. The backdoor is doing _something_ for 0.5s if RSA key exchange happens.
So even a valid login might trigger not yet known side effects. It might just tunnel commands over dns for example (DNS being a well known side effect of ssh anyway).
So "exploiting" might mean as little as "used ssh".
- puffybuf 1 year agoPresumably they wanted this backdoor hidden, so they wouldn't want it doing things that could expose it. I'm under the impression it simply modifies memory when sshd loads the xz library, adding its own hooks and just waiting for the proper login signal. I doubt it "phones home" as this could expose its existence, but we'll have to wait until it is analyzed thoroughly.
- puffybuf 1 year ago
- treffer 1 year ago
- treffer 1 year agoAssume that a backdoor was injected and activated, especially if you ever sshd into the machine.
The backdoor is not fully analyzed as of now. As such nothing can be said about the system besides "it is potentially compromised".
- arthur2e5 1 year ago
- legobmw99 1 year agoYou really have to feel for the author. Stepping aside for personal reasons and having someone else take up the mantle of a project is supposed to be a success story of open source - I myself have been on both sides of that process before.
For it to turn out like this is incredibly disappointing
- rurban 1 year agoWell, at least it was detected pretty early, and is contained.
Extremely wicked backdoor, but he only lost the main maintainer and github. Github will be reactivated soon for him, so others can take over.
- kzrdude 1 year agoIs it that easy? I figured he'd face an uphill battle himself - people might not trust him either, by association, or by fear that his accounts have been compromised (and are now impersonating him.)
- kzrdude 1 year ago
- 1 year ago
- rurban 1 year ago
- 1 year ago