Author Topic: This is a scary one ... CVE-2024-3094  (Read 3878 times)

0 Members and 1 Guest are viewing this topic.

Offline bingo600Topic starter

  • Super Contributor
  • ***
  • Posts: 2002
  • Country: dk
This is a scary one ... CVE-2024-3094
« on: March 30, 2024, 06:12:55 am »
Dammm

This one is scary - Malicious code in liblzma upsream code detected.
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Especially because it might be "An inside job"

Multistage planned, and "impressingly well done"  :-\

Right now ... Prob only bleeding edge installs are affected.
But since it was in upstream, if not detected. It would have propagated.
My Ubu 22.04 or Deb12 arent affected.


Edit:
Just beggining to look at this one - Doesn't look nice too
https://pwning.tech/nftables/
« Last Edit: March 30, 2024, 06:17:32 am by bingo600 »
 
The following users thanked this post: nctnico, RAPo

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14690
  • Country: fr
Re: This is a scary one ... CVE-2024-3094
« Reply #1 on: March 30, 2024, 07:51:43 am »
Wow.

Note that the official github account on which the repo was hosted has been taken down: https://github.com/tukaani-project/xz
This is serious stuff here.
« Last Edit: March 30, 2024, 07:57:35 am by SiliconWizard »
 

Offline bingo600Topic starter

  • Super Contributor
  • ***
  • Posts: 2002
  • Country: dk
Re: This is a scary one ... CVE-2024-3094
« Reply #2 on: March 30, 2024, 08:33:49 am »
Wow.

Note that the official github account on which the repo was hosted has been taken down: https://github.com/tukaani-project/xz
This is serious stuff here.

Yupp

But if correct ... Then "adding" "extra key-sigs" to SSH ... IS SERIOUS

One can only wonder : WHY did the Author(s) do it ?  - Especially if it's an inside job ...

Smells somewhat of "3 letters" from whatever country.

« Last Edit: March 30, 2024, 08:35:59 am by bingo600 »
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7880
  • Country: de
  • A qualified hobbyist ;)
 
The following users thanked this post: bingo600, golden_labels


Offline bingo600Topic starter

  • Super Contributor
  • ***
  • Posts: 2002
  • Country: dk
Re: This is a scary one ... CVE-2024-3094
« Reply #5 on: March 30, 2024, 12:07:03 pm »
From comments in the above faq:

 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7880
  • Country: de
  • A qualified hobbyist ;)
Re: This is a scary one ... CVE-2024-3094
« Reply #6 on: March 30, 2024, 01:02:16 pm »
One can only wonder : WHY did the Author(s) do it ?  - Especially if it's an inside job ...

It wasn't the original maintainer, but someone called 'Jia Tan' (joined the project two years ago).

Smells somewhat of "3 letters" from whatever country.

Indeed! From all the information available I see many hints pointing to a long term covert operation of a state actor. And in this case the collateral damage would have been HUGE. Luckily Andres came across the backdoor early before the new xz-util version could go mainstream. They even tried to push v5.6.1 for several linux distributions. We have to be more cautious and diligent with checking code commits, no matter if its a large and critical project or some tiny and boring one.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 6956
  • Country: ca
Re: This is a scary one ... CVE-2024-3094
« Reply #7 on: March 30, 2024, 01:42:55 pm »
Every time an exploit or attack happens that receives wide attention we are told it was "very sophisticated" one created by an army of uniformed people from an evil state. After the hype dies it turnes out that it was done by a  bored 16 year old kiddy in grandmo's basement.
« Last Edit: March 30, 2024, 02:16:55 pm by Bud »
Facebook-free life and Rigol-free shack.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7880
  • Country: de
  • A qualified hobbyist ;)
Re: This is a scary one ... CVE-2024-3094
« Reply #8 on: March 30, 2024, 01:45:04 pm »
Interesting timeline (work in progress) with details about who did what and when:

Everything I Know About the Xz Backdoor: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
 

Offline bingo600Topic starter

  • Super Contributor
  • ***
  • Posts: 2002
  • Country: dk
Re: This is a scary one ... CVE-2024-3094
« Reply #9 on: March 30, 2024, 02:33:08 pm »
From
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5006017#gistcomment-5006017

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024

Unofficial discussions on Debian downgrading to 5.3.1

If 5.4.x is hit too by something ... They committed 700+ patches "there"
Then my DEB12's are at risk ....
And i just upgraded from 11 to 12 , like 3 weeks ago  |O

Code: [Select]
$xz --version
xz (XZ Utils) 5.4.1
liblzma 5.4.1

I'm glad i haven't got any linuxes exposed directly on @
All are behind a firewall (not linux)
Well mailserver has Port 25 open (portforwarded via fwall) ... That's all
And my mailserver is still at Deb11  :D :D :D

Code: [Select]
$ xz --version
xz (XZ Utils) 5.2.5
liblzma 5.2.5
« Last Edit: March 30, 2024, 02:52:48 pm by bingo600 »
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7880
  • Country: de
  • A qualified hobbyist ;)
Re: This is a scary one ... CVE-2024-3094
« Reply #10 on: March 30, 2024, 02:40:55 pm »
Every time an exploit or attack happens that receives wide attention we are told it was "very sophisticated" one. After some time it becomes known that it was done by a 16 year old kiddy.

I don't have that impression. Most attacks or exploits don't make it into mainstream media anyway, and stay in the admin or security world. At the moment mainstream media reports primarily about new victims of crypto trojans. There were only a few reports about recent Microsoft disasters (in reality MS needs to be considered totally compromised). I'd say that the largest chunk of attacks is performed by cybercriminals, followed by state actors or state sponsored groups, some hackers (for fun and fame), script kiddies trying to become hackers, and at last the odd 16 year old. I can hardly imagine a 16 year old kiddy playing with m4 (a macro language, well known to sendmail users, used for the xz-utils backdoor).
 

Offline bingo600Topic starter

  • Super Contributor
  • ***
  • Posts: 2002
  • Country: dk
Re: This is a scary one ... CVE-2024-3094
« Reply #11 on: March 30, 2024, 02:57:07 pm »
I can hardly imagine a 16 year old kiddy playing with m4 (a macro language, well known to sendmail users, used for the xz-utils backdoor).

Me neither

I'm using sendmail.
And after reading the "Bat book" ... I still think that when Stallman wrote m4  he must have been "on mushrooms" ... (Read as a joke)

 
The following users thanked this post: abeyer, eutectique

Offline madires

  • Super Contributor
  • ***
  • Posts: 7880
  • Country: de
  • A qualified hobbyist ;)
Re: This is a scary one ... CVE-2024-3094
« Reply #12 on: March 30, 2024, 02:57:19 pm »
Unofficial discussions on Debian downgrading to 5.3.1

If 5.4.x is hit too by something ... They committed 700+ patches "there"
Then my DEB12's are at risk

No need to panic! Let's wait and see what code reviews will dig up. Those 700+ commits could be real fixes, improvements, added features and so on. And we also don't know yet what the concrete impact on sshd is. But I agree that a reasonable precaution would be to limit ssh access.
 

Online shapirus

  • Super Contributor
  • ***
  • Posts: 1574
  • Country: ua
Re: This is a scary one ... CVE-2024-3094
« Reply #13 on: March 30, 2024, 03:41:14 pm »
Debian team was quick to push a fix.

I love the version number:

Code: [Select]
$ apt show xz-utils
Package: xz-utils
Version: 5.6.1+really5.4.5-1

changelog:

Code: [Select]
xz-utils (5.6.1+really5.4.5-1) unstable; urgency=critical

  * Non-maintainer upload by the Security Team.
  * Revert back to the 5.4.5-0.2 version

 -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 28 Mar 2024 15:59:38 +0100

 

Offline bingo600Topic starter

  • Super Contributor
  • ***
  • Posts: 2002
  • Country: dk
Re: This is a scary one ... CVE-2024-3094
« Reply #14 on: March 30, 2024, 03:52:00 pm »
Debian team was quick to push a fix.

I love the version number:

Code: [Select]
$ apt show xz-utils
Package: xz-utils
Version: 5.6.1+really5.4.5-1

If it's 5.4.5.x+ that's affected.
Then my Deb12's
Code: [Select]
xz --version
xz (XZ Utils) 5.4.1
liblzma 5.4.1

Are in the clear ... for now   8)

« Last Edit: March 30, 2024, 03:54:06 pm by bingo600 »
 

Online shapirus

  • Super Contributor
  • ***
  • Posts: 1574
  • Country: ua
Re: This is a scary one ... CVE-2024-3094
« Reply #15 on: March 30, 2024, 04:11:09 pm »
If it's 5.4.5.x+ that's affected.
5.6.0+, as far as the backdoor in question is considered.


Then my Deb12's
Code: [Select]
xz --version
xz (XZ Utils) 5.4.1
liblzma 5.4.1

Are in the clear ... for now   8)
Yes, for now. It remains to be seen if any of the code committed by that person has other vulnerabilities. As far as I understand, the original author is currently reviewing all of those commits.

I wonder if force pushes were allowed on that repo. If they were, it'll make audit much more complicated.
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1258
  • Country: pl
Re: This is a scary one ... CVE-2024-3094
« Reply #16 on: March 30, 2024, 06:15:07 pm »
The attacker was very focused at what they did, so many distributions may be unaffected even if they ship 5.6 branch. For example on Arch Linux sshd is not even using liblzma. The author might’ve hidden more surprises, but for now there is no indication other commits were malicious. It’s possible they either used them to build reputation or the identity was stolen.

It’s also worth noting that xz was affected, but the person was active elsewhere too. Code they experimented with included LZ4, libarchive, zstd (Meta) and Microsoft docs. They didn’t commit to these repos, but the bullets might’e missed us by inches. They also worked with many unspecified proprietary repositories.

In general I’d say it’s best to let the dust settle and wait for the news from people, who are currently working on resolving the issue. Sensationalism isn’t serving anybody in this case. At worst it may open opportunities for FUD or be noticed by general population media.

Every time an exploit or attack happens that receives wide attention we are told it was "very sophisticated" one created by an army of uniformed people from an evil state. After the hype dies it turnes out that it was done by a  bored 16 year old kiddy in grandmo's basement.
These two are not mutually exclusive. Perhaps wearing an uniform in grandma’s basement may be inconvenient, but don’t get carried away with the perfection level achieved in government agencies. It’s primarily a matter of organisation, funding and coördination, not personal skills.

The sophistication level is in this case in plain sight too. That’s not an opinion of anonymous TV expert: what the attacker done has been outlined and you can compare that to baseline.
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline bingo600Topic starter

  • Super Contributor
  • ***
  • Posts: 2002
  • Country: dk
Re: This is a scary one ... CVE-2024-3094
« Reply #17 on: March 30, 2024, 06:22:34 pm »
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 6956
  • Country: ca
Re: This is a scary one ... CVE-2024-3094
« Reply #18 on: March 30, 2024, 06:28:44 pm »
"Apparently". Yes, a good one to my collection of "seems to", "we speculate", "potentially", "could be", and such.

Show me the MEAT, not your creative thinking.
Facebook-free life and Rigol-free shack.
 

Offline bingo600Topic starter

  • Super Contributor
  • ***
  • Posts: 2002
  • Country: dk
Re: This is a scary one ... CVE-2024-3094
« Reply #19 on: March 30, 2024, 06:46:40 pm »
"Apparently". Yes, a good one to my collection of "seems to", "we speculate", "potentially", "could be", and such.

Show me the MEAT, not your creative thinking.

What got in to you ?  :-//
Did you even read the link's

Apparently was chosen as the wording, because it has not been confirmed by others yet (single source)


 

Online radar_macgyver

  • Frequent Contributor
  • **
  • Posts: 700
  • Country: us
Re: This is a scary one ... CVE-2024-3094
« Reply #20 on: March 30, 2024, 07:16:04 pm »
Right now ... Prob only bleeding edge installs are affected.

I used buildroot a few days ago for an embedded target, and when I read about the xzutils CVE, I checked and the version reported is 5.4.4. My understanding is that buildroot pulls sources from the project's repos so would qualify as bleeding edge. Target is an iMX6, if that matters.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7880
  • Country: de
  • A qualified hobbyist ;)
Re: This is a scary one ... CVE-2024-3094
« Reply #21 on: March 30, 2024, 08:57:09 pm »
A nice explanation how the backdoor payload is obfuscated:

xz/liblzma: Bash-stage Obfuscation Explained: https://gynvael.coldwind.pl/?lang=en&id=782
 

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14690
  • Country: fr
Re: This is a scary one ... CVE-2024-3094
« Reply #22 on: March 30, 2024, 10:04:07 pm »
The attacker was very focused at what they did, so many distributions may be unaffected even if they ship 5.6 branch. For example on Arch Linux sshd is not even using liblzma. The author might’ve hidden more surprises, but for now there is no indication other commits were malicious. It’s possible they either used them to build reputation or the identity was stolen.

It’s also worth noting that xz was affected, but the person was active elsewhere too. Code they experimented with included LZ4, libarchive, zstd (Meta) and Microsoft docs. They didn’t commit to these repos, but the bullets might’e missed us by inches. They also worked with many unspecified proprietary repositories.

Yes, I'm on Arch, and xz did get affected. They let the 5.6.0 and 5.6.1 slip with this issue. It was quickly fixed though. So xz-5.6.0 is affected, xz-5.6.1-1 is affected, xz-5.6.1-2 is fixed. Check if you're concerned and if so, just update your system.
 

Online Nominal Animal

  • Super Contributor
  • ***
  • Posts: 6442
  • Country: fi
    • My home page and email address
Re: This is a scary one ... CVE-2024-3094
« Reply #23 on: March 30, 2024, 10:51:40 pm »
A good reminder that the human in the security chain is always the weakest link.  And that when you collaborate with someone on a widely-used project, make sure you know the actual human, including real-world traceability and contact when this kind of crap occurs.  A single e-mail address and connections via VPN is definitely not that.
 

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14690
  • Country: fr
Re: This is a scary one ... CVE-2024-3094
« Reply #24 on: March 30, 2024, 10:55:14 pm »
Yeah. And people wonder/complain about why it's so "difficullt" to contribute to projects such as Linux kernel or GCC. Maybe now you realize why.

Thing is, this kind of event may trigger the requirement to share one's identity in full for contributing to any open-source software, at some point. Which is something I'm not sure I like either.
So, I don't know how to tackle this other than by strict review processes, which are very time-consuming.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf