[kwlug-disc] Fw: Backdoor found in widely used Linux utility

[Ronald Barnes]

Ron Singh wrote on 2024-03-29 17:48:

> see his git repo here --
> https://github.com/JiaT75 <https://github.com/JiaT75>
> 
> Sheesh, a long-time trusted dev succumbing to the dark side?

Not really, he(?) seems to have ingratiated himself with the beleaguered 
maintainer of xz, perhaps with a couple of sock puppets (people with 
Scandanavian and Indian(?) names).

After some seemingly innocuous commits, one sock puppet pushed for a new 
maintainer to xz, which JiaT75 became, then another sock puppet pushed 
the Debian maintainers to incorporate these great new xz features into 
their repos. Then disappeared.


This backdoor was only caught because someone happened to be testing 
performance on his machine, and he noticed failed ssh connections were 
taking too long (a mere ½ second).

Some profiling indicated a lot of that time was spent in lzma, so he 
poked around some more and ...


That guy saved the world from another HeartBleed + an OSS SolarWinds 
supply chain attack that would've compromised sshd on almost all Linux 
systems worldwide.


Holy shit, we dodged a bullet there.

This was an extremely crafty attack that seems to have been building 
over the course of a couple of years.


This did not require users to have xz invoked, nor even installed. The 
Linux kernel uses it for squashfs.

Debian and Fedora at least began the process to incorporate this.

The brew package manager for Macs actually did push it out, then rolled 
it back.


Kali Linux was distributing infected ISOs for a few days.


Major malware attack averted - barely.


rb