[kwlug-disc] Fw: Backdoor found in widely used Linux utility
Ronald Barnes
ron at ronaldbarnes.ca
Sat Mar 30 05:50:36 EDT 2024
Ron Singh wrote on 2024-03-29 17:48:
> see his git repo here --
> https://github.com/JiaT75 <https://github.com/JiaT75>
>
> Sheesh, a long-time trusted dev succumbing to the dark side?
Not really, he(?) seems to have ingratiated himself with the beleaguered
maintainer of xz, perhaps with a couple of sock puppets (people with
Scandanavian and Indian(?) names).
After some seemingly innocuous commits, one sock puppet pushed for a new
maintainer to xz, which JiaT75 became, then another sock puppet pushed
the Debian maintainers to incorporate these great new xz features into
their repos. Then disappeared.
This backdoor was only caught because someone happened to be testing
performance on his machine, and he noticed failed ssh connections were
taking too long (a mere ½ second).
Some profiling indicated a lot of that time was spent in lzma, so he
poked around some more and ...
That guy saved the world from another HeartBleed + an OSS SolarWinds
supply chain attack that would've compromised sshd on almost all Linux
systems worldwide.
Holy shit, we dodged a bullet there.
This was an extremely crafty attack that seems to have been building
over the course of a couple of years.
This did not require users to have xz invoked, nor even installed. The
Linux kernel uses it for squashfs.
Debian and Fedora at least began the process to incorporate this.
The brew package manager for Macs actually did push it out, then rolled
it back.
Kali Linux was distributing infected ISOs for a few days.
Major malware attack averted - barely.
rb
More information about the kwlug-disc
mailing list