this post was submitted on 29 Mar 2024
670 points (99.4% liked)

Technology

58303 readers
16 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” an official with distributor OpenWall wrote in an advisory. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here.

On Thursday, someone using the developer's name took to a developer site for Ubuntu to ask that the backdoored version 5.6.1 be incorporated into production versions because it fixed bugs that caused a tool known as Valgrind to malfunction.

“This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass,” the person warned, from an account that was created the same day.

One of maintainers for Fedora said Friday that the same developer approached them in recent weeks to ask that Fedora 40, a beta release, incorporate one of the backdoored utility versions.

“We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added),” the Ubuntu maintainer said.

He has been part of the xz project for two years, adding all sorts of binary test files, and with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 123 points 8 months ago (4 children)

Dude seems like a foreign asset

[–] [email protected] 86 points 8 months ago* (last edited 8 months ago) (2 children)

Jia Tan, University of Hong Kong in China. He’s been the sole maintainer of the package for almost two years.

[–] [email protected] 86 points 8 months ago (1 children)

Looks like he'd done a lot for various US companies on his LinkedIn.

I would not be surprised if he was previously legit but pressured into doing this by the CCP.

[–] [email protected] 29 points 8 months ago (2 children)

Maybe he wasn't sloppy by accident if he was indeed coerced by someone. I don't think we'll ever find out the backstory of this though.

load more comments (2 replies)
[–] [email protected] 32 points 8 months ago (1 children)

It would make more sense to compromise developers in trusted positions, or steal their credentials, than going through the time and effort of building trusted users and projects only to burn them with easily spotted vulnerabilities.

[–] [email protected] 16 points 8 months ago

This wasn't easily spotted. They use words like sloppy, but it all started with someone digging in because starting ssh season was about a half second slower that it used to be. I could easily imagine 99.99% of people shrugging and deciding just something in the chain of session startup took a bit longer for a reason not worth digging into.

Also, this was a maintainer that just started two years ago. xz is much older than that, just he took over.

load more comments (3 replies)
[–] [email protected] 97 points 8 months ago* (last edited 7 months ago) (5 children)

From the article...

Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview. “BUT that's only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”

Is auditing for security reasons ever done on any open source code? Is everyone just assuming that everyone else is doing it, and hence no one is really doing it?


EDIT: I'm not attacking open source, I'm a big believer in open source.

I'm just trying to start a conversation about a potential flaw that needs to be addressed.

Once the conversation was started I was going to expand the conversation by suggesting an open source project that does security audits on other open source projects.

Please put the pitchforks away.

Edit2: This is not encouraging.

[–] 5C5C5C 58 points 8 months ago (42 children)

You're making a logical fallacy called affirming the consequent where you're assuming that just because the backdoor was caught under these particular conditions, these are the only conditions under which it would've been caught.

Suppose the bad actor had not been sloppy; it would still be entirely possible that the backdoor gets identified and fixed during a security audit performed by an enterprise grade Linux distribution.

In this case it was caught especially early because the bad actor did not cover their tracks very well, but now that that has occurred, it cannot necessarily be proven one way or the other whether the backdoor would have been caught by other means.

[–] [email protected] 22 points 8 months ago (4 children)

Also they are counting the hits and ignoring the misses. They are forgetting that sneaking a backdoor into an open source project is extremely difficult because people are reviewing the code and such a thing will be recognized. So people don't typically try to sneak back doors in. Also, backdoors have been discovered in an amazing amount of closed source projects where no one was even able to review the code.

load more comments (4 replies)
load more comments (41 replies)
[–] [email protected] 29 points 8 months ago* (last edited 8 months ago) (1 children)

Having once worked on an open source project that dealt with providing anonymity - it was considered the duty of the release engineer to have an overview of all code committed (and to ask questions, publicly if needed, if they had any doubts) - before compiling and signing the code.

On some months, that was a big load of work and it seemed possible that one person might miss something. So others were encouraged to read and report about irregularities too. I don't think anyone ever skipped it, because the implications were clear: "if one of us fails, someone somewhere can get imprisoned or killed, not to speak of milder results".

However, in case of an utility not directly involved with functions that are critical for security - it might be easier to pass through the sieve.

load more comments (1 replies)
[–] [email protected] 20 points 8 months ago (1 children)

Auditing can be done only on open source code. No code = no audit. Reverse engieneering doesn't count.

load more comments (1 replies)
[–] [email protected] 16 points 8 months ago (2 children)

The answer is the same as closed source software: sometimes.

But that's beside the point, a security audit is not perfect. Plenty of audited codebases are the source of security vulnerabilities in the wild. We know based on analysis that the malicious actor's approach would have a high chance of successfully hiding from a typical security audit.

load more comments (2 replies)
load more comments (1 replies)
[–] [email protected] 94 points 8 months ago* (last edited 8 months ago) (3 children)

Thankfully this was discovered before hitting stable distros but I'm hoping it increases scrutiny across the board. We dodged a bullet on this one.

[–] [email protected] 21 points 8 months ago

Across the board indeed. Scrutiny in code is one thing, where this story, as far as is known right now, really went south is the abuse of a trusted, but vulnerable, member of the community.

I know the (negative) spotlight is targeting Jia Tan right now (and who knows if they (still) exist), but I really hope Larhzu is doing okay. Who's name is mentioned in the same articles.

Mental health is a serious issue, that, if you read the back story, is easily ignored or abused. And it wasn't an unknown in this story. Don't only check the code, check up on your people too.

[–] [email protected] 13 points 7 months ago

This is why I run debian oldstable.

Or maybe it's because I'm too lazy to do a dist-upgrade.

load more comments (1 replies)
[–] [email protected] 81 points 8 months ago (4 children)

Long game supply chain attacks, pretty much going to be state actors. And I wouldn't chalk it up to the usual malicious ones like China and Russia. This could be the NSA just as easily.

[–] [email protected] 33 points 8 months ago (3 children)

I honestly think the NSA has changed. If you look at the known backdoors they haven't got caught making any new backdoors since like 2010. Their MO also seems to be more hardware and encryption (more of an observational charter) than manipulation.

There's also evidence US Congress acted to stop the NSA from doing these underhanded tacits at least once https://www.wired.com/story/nsa-backdoors-closed/

They're not idiots, lots of smart people there that surely understand the risk of something like this to US national security interests. It's not the NSA that's been asking for encryption to be broken in recent years. They've been warning about quantum threats and ... from what I'm aware of actually been taking on the defensive role they were conducted to perform https://gizmodo.com/nsa-plans-to-act-now-to-ensure-quantum-computers-cant-b-1757038212

This seems like something that could actually be weaponized against predominantly western technology companies so I'd be very surprised if it was them and very surprised if they used someone that appears to be a Chinese born resident to do it.

[–] [email protected] 33 points 8 months ago (6 children)

I really can't believe they've stopped. Their mentality is "national security has no morals". They'll do everything they can do to facilitate that mission, though not getting caught is a big part of the facade they need to put on to keep or renovate their image to do this.

Maybe they're being more careful, and doing simple things like putting in timestamps that emulate working hours in other timezones are certainly the first thing they're going to think about. That one has always cracked me up, security researchers point to it like it's proof of something, which is ridiculous. Just like our people are smart, I don't think the foreign actors are dumb either.

And before you say it, I'd be all over not being paranoid if it hadn't been proven to me time and again that these agencies won't change, that they don't give a shit about what's right if it gets in the way of their mandate. The only thing that might change is how well they hide things now and intimidate their people into staying quiet. Because potential whistleblowers have seen the examples that have been made.

[–] 5C5C5C 15 points 8 months ago* (last edited 8 months ago)

Personally I suspect they're getting all the information they care about via subpoenas on big data and social media companies. They don't have a need to compromise security on a technical level anymore because the justice system itself is compromised. That means backdoors only benefit national enemies at this point, so the NSA of today would rather those not exist at all.

Of course that's not to say anyone should trust those agencies at their word on anything.

load more comments (5 replies)
[–] [email protected] 13 points 8 months ago (3 children)

That's not true, Shadow broker leaks for example contained 0-day found by the NSA well after 2010. And that's only what got published, there's probably more !

load more comments (3 replies)
load more comments (1 replies)
[–] [email protected] 21 points 8 months ago (1 children)

I don't know man. Imagine you could have ssh access to every Debian and fedora server on the planet, and all you had to do was write tests for some compression library for 2 years and sneak in a clever patch. I'd guess such an exploit is worth millions. You wouldn't work 2 years for millions of dollars?

This is sophisticated but it doesn't have to be a state actor.

load more comments (1 replies)
load more comments (2 replies)
[–] [email protected] 66 points 8 months ago (3 children)

There are no known reports of those versions being incorporated into any production releases for major Linux distributions

...

A stable release of Arch Linux is also affected.

... BTW.

[–] [email protected] 15 points 8 months ago

The malicious code is only thought to have affected deb/rpm packaging (i.e the backdoor only included itself with those packaging methods). Additionally, arch doesn't link ssh against liblzma which means this specific vulnerability wasn't applicable to arch. Arch may have still been vulnerable in other ways, but this specific vulnerability targeted deb/rpm distros

[–] [email protected] 14 points 8 months ago

I liked the joke, but ya arch is not compromised. Check out this user's detailed comment.

https://feddit.de/comment/8782369

load more comments (1 replies)
[–] [email protected] 55 points 8 months ago

This is really bad.

[–] [email protected] 54 points 8 months ago
[–] [email protected] 50 points 8 months ago

The backdoor has existed for a month at least. Yikes.

https://www.openwall.com/lists/oss-security/2024/03/29/4

[–] [email protected] 43 points 8 months ago* (last edited 8 months ago) (10 children)

A stable release of Arch Linux is also affected. That distribution, however, isn't used in production systems.

Shots fired!

It seems WSL Ubuntu and Kali are safe with versions 5.2.5 and 5.4.4 installed respectfully.

load more comments (10 replies)
[–] [email protected] 43 points 8 months ago (7 children)

The backdoor appears to specifically target RSA public key authentication, so they must have had a target in mind that they know uses RSA keys.

load more comments (7 replies)
[–] [email protected] 32 points 8 months ago (1 children)
[–] [email protected] 12 points 8 months ago* (last edited 8 months ago)
[–] [email protected] 20 points 8 months ago (13 children)

Please help me as a novice Linux user- is this something that comes preinstalled with Mint Cinnamon? And if so, what can I do about it?

[–] [email protected] 18 points 8 months ago (1 children)

As the other person said it’s likely that xz is already installed on your system, but almost certainly a much older version than the compromised one. It’s likely that no action is required on your part assuming you’ve not been downloading tarballs of bleeding edge software.

As the other person said, just keep doing updates as soon Mint recommends them (since it’s based on Ubuntu LTS, it’s a lot less likely to have these bleeding edge vulnerabilities).

load more comments (1 replies)
[–] [email protected] 17 points 8 months ago (5 children)

You're good. Even if you do use xz and ssh the version with the vulnerability only made it's way to rolling release distros or beta version of distros like fedora 40

load more comments (5 replies)
load more comments (11 replies)
[–] [email protected] 18 points 8 months ago (2 children)

openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.

[–] [email protected] 23 points 8 months ago (1 children)

It’s all systemds fault, got it.

[–] [email protected] 11 points 8 months ago* (last edited 8 months ago)

Do it all? Then you did it all, motherfucker.

load more comments (1 replies)
load more comments
view more: next ›