1y ago

WARNING: Malicious code in current pre-release & testing versions/variants: F40 and rawhide affected - users of F40/rawhide need to respond

discussion.fedoraproject.org WARNING: Malicious code in current pre-release & testing versions/variants: F40 and rawhide affected - users of F40/rawhide need to respond

The xz package that has already entered the current F40 pre-release versions/variants and rawhide contains malicious code. This does NOT affect users of the Fedora releases (F38, F39 are thus not affected), but all users who use already F40 pre-release versions/variants or rawhide shall read this: ...

WARNING: Malicious code in current pre-release & testing versions/variants: F40 and rawhide affected - users of F40/rawhide need to respond

71 comments

I'm genuinely disturbed that a person who was a core developer could just go rogue.
- From what I've been reading, it sounds like they were malicious from the very beginning. The work to integrate the malware goes back to 2021. https://boehs.org/node/everything-i-know-about-the-xz-backdoor
  It's an extremely sophisticated attack that was hidden very well, and was only accidentally discovered by someone who noticed that rejected SSH connections (eg invalid key or password) were using more CPU power and taking 0.5s longer than they should have. https://mastodon.social/@AndresFreundTec/112180406142695845
  
  From that post, commits set to UTC+0800 and activity between UTC 12-17 indicate that the programmer wasn't operating from California but from another country starting with C. The name is also another hint.
  
  Unrelated, I really like the idea that the author of that blog post to place the favicon near each link
- Yeah, what if they go blue next?
  (It's rogue not rouge)
  
  I'm pretty sure you just said the same word twice
- I'm kinda hoping it was just that a state sponsored attacker showed up on their door and said "include this snippet or else..." otherwise it's terrifying thinking of someone planning some long con like this
  We are all relying on the honesty of a few overworked volunteers...
  
  They could of been working for Russia or someone else

could this be a nation-state attack? since jiat75 spent multiple years developing a fake persona and it seems like a lot of effort was put into this
- probably some agent from the country that starts with R, or from that other country that starts with C, or from one of those silly three-letter organizations

I'm on Void, and I had the malicious version installed. Updating the system downgraded xz to 5.4.6, so it seems they are on it. I'll be watching discussions to decide if my system might still be compromised.
- Did you have SSH open to the internet?
  
  No, this is just my personal laptop. I don't even have access to an IP address I could enable port-forwarding on.
  
  @Auli @56 I have SSH open on internet… on ipv6, I’m safe. Do you think VPN open on the internet is safer ? (Think twice CVE-2024-21762…)
- I would nuke it and rebuild. If nothing else it is a good test of backups

some people in my mastodon feed are suggesting that the backdoor might have connected out to malicious infrastructure or substituted its own SSH host keys, but I can't find any clear confirmation. More info as the investigation progresses.
I guess at this point if you're on Fedora 40 or rawhide clear / regen your host keys, even after xz version rollback
- or substituted its own SSH host keys,
  why would the backdoor do that? It would immediately expose itself because every ssh client on the planet warns about changed host keys when connecting.
  
  Perhaps it was a poorly worded way of suggesting that invalidating host keys would invalidate all client keys it could potentially generate? Either way it's a lot of speculation.
  Resetting the keys and SSH config on any potentially compromised host is probably not a terrible idea
- If you are on a affected system I would nuke from orbit.
  
  Nuke from orbit might be an overreaction, if you need that machine perhaps disable ssh or turn the machine off until later next week when the postmortems happen. If you need that trusted machine now, then yes fresh install

What is the name of the software that is affected??
- Hard to tell from first glance but my guess would be this is fallout from the ongoing xz drama. Here: https://www.openwall.com/lists/oss-security/2024/03/29/4
  Also: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
- xz is the compromised package, but it in turn compromises ssh authentication
  
  In turn it ~~compromises ssh authentication~~ allows remote code execution via system(); if the connecting SSH certificate contains the backdoor key. No user account required. Nothing logged anywhere you'd expect. Full root code execution.
  https://news.ycombinator.com/item?id=39877312
  There is also a killswitch hard-coded into it, so it doesn't affect machines of whatever state actor developed it.
  https://news.ycombinator.com/item?id=39881018
  It's pretty clear this is a state actor, targeting a dependency of one of the most widely used system control software on Linux systems. There are likely tens or hundreds of other actors doing the exact same thing. This one was detected purely by chance, as it wasn't even in the code for ssh.
  If people ever wonder how cyber warfare could potentially cause a massive blackout and communications system interruption - this is how.
- Microsoft Edge.

I am looking at these gaggle of posts and all of lemmy is flooded with this and then think that there is an entire Spyware OS on the other side... Which who knows what code it runs and people are chill about it. I am so thankful for this community.

Makes you wonder how many of these are out there that have not been found?
- Github has been turning into malwarehub.

Damn, I had a malicious version installed on my Arch machine. I've since done a system update which removes the backdoor, but looking more into it, it does seem that only fedora and debian(?) are affected/targeted but better safe than sorry.
- I guess this is one of those instances where Manjaro holding back packages makes it more secure than Arch, not less.

Using the F40 preview with KDE and a regular update from Discover rolled xz back to the known good version 5.4.6

Well, there's also malicious code in the proprietary binary blobs of the drivers and those run with kernel privilege. At least that one we see what it does.

Running Ubuntu 23.10 with xz-utils 5.41 which is unaffected. Versions 5.6.0 and 5.6.1 are the malicious packages. I used Synaptic Package Manager to search for it.
- The bad actor had a launchpad bug to pull it into the Ubuntu LTS beta. Serious kudos to the person who discovered it, literally in the nick of time.
  
  Same story with Fedora
- On Ubuntu the only affected people were those running the prerelease of Ubuntu 24.04 who had installed the update from the proposed pocket.

And the one main issue with FOSS rears its ugly head – freedom of contribution also means freedom of bad contributions.
- This happens in close source software too. You just don't find out about it until it gets bad enough.

So far I was affected on termux. There is already package update.

Bad title. This is CVE-2024-3094. Run "xz --version" to see if you are affected.
- "Run the affected binary to see if you have it"
- AFAIK it‘s better to use rpm -q xz xz-libs (copied from the forum replies) to avoid running xz itself just in case the affected version is already installed
- If you go to the post, on the comments, there is someone that is already telling you to run dnf list xz --installed. So you don't need to run xz directly.
- If you are checking out the extent of damage on your system do not use ldd to check the links.
  You can inadvertently executed the exploit this way.

USE WINDOWS.
- if this happened on windows probably no one would have noticed it until a large cyberattack happened, also, using that logic no one should be using CPU's created after 1995 due to meltdown / spectre
  
  Hahaha irritating isn't it?

71 comments