Secret Backdoor Found in Major Linux Distros
-
Naperville
- Member
- Posts: 4440
- Joined: Sun Feb 04, 2018 2:58 am
- Location: Illinois, USA
Secret Backdoor Found in Major Linux Distros
I support the 2nd Amendment Organizations of GOA, NRA, FPC, SAF, and "Knife Rights"
T2T: https://tunnel2towers.org; Special Operations Wounded Warriors: https://sowwcharity.com/
T2T: https://tunnel2towers.org; Special Operations Wounded Warriors: https://sowwcharity.com/
-
Naperville
- Member
- Posts: 4440
- Joined: Sun Feb 04, 2018 2:58 am
- Location: Illinois, USA
Re: Secret Backdoor Found in Major Linux Distros
I support the 2nd Amendment Organizations of GOA, NRA, FPC, SAF, and "Knife Rights"
T2T: https://tunnel2towers.org; Special Operations Wounded Warriors: https://sowwcharity.com/
T2T: https://tunnel2towers.org; Special Operations Wounded Warriors: https://sowwcharity.com/
-
Naperville
- Member
- Posts: 4440
- Joined: Sun Feb 04, 2018 2:58 am
- Location: Illinois, USA
Re: Secret Backdoor Found in Major Linux Distros
From my SANS Security Digest that just arrived:
Malicious Code Founds in xz utils
(March 29 & April 1, 2024)
Both RedHat and the US Cybersecurity and Infrastructure Security Agency (CISA) have warned of embedded malicious code in xz utils data compression library versions 5.6.0 and 5.6.1. CISA recommend downgrading to an unaffected version of the library. Researchers Andres Freund reported the vulnerability to Openwall on Friday, March 29.
Editor's Note
[Ullrich]
Luckily, this can be classified as a win for the good guys. But the danger to the supply chain is real. Not only was the backdoor very unique and sophisticated, but it was supported by a long term social engineering campaign at least as complex as the backdoor itself. Take a minute this week, and send a thank you note to an open source project that made a difference for you this week.
[Honan]
This incident brings strong echoes of the famous Ken Thompson's paper, “Reflections on Trusting Trust”. If you have not read it, I strongly recommend you do.
www.cs.cmu.edu: Reflections on Trusting Trust (PDF)
[Dukes]
This attack would have been highly effective if not for an engineer’s curious mind. Of note is the use of an advanced cryptographic scheme that ensures only they can use the bug for attack – a level of sophistication often found in nation-state backed operations. While the focus will be on the integrity of open-source software, it’s also a reminder for product vendors and the security controls they have in place for software configuration management.
[Murray]
APT class actors have discovered the potential efficiency of the supply-chain. We must hold suppliers accountable for shipping malicious code. Open-Source is an easy target and a big risk. At a minimum, we should require open source contributors to sign their work and include a SBOM for any code that they reuse.
[Frost]
What makes this one different is the sophistication and the targeting. This hidden code only appeared on compilation through an M4 macro and within the test trees. This requires a high degree of understanding of how to manipulate compiled binaries in systems. It appears that this was targeting xz’s use in SSH on specific systems. This would be a very innocuous and hard-to-understand backdoor in one of the most critical and trusted secure protocols that we rely on.
Read more in:
- nvd.nist.gov: CVE-2024-3094 Detail
- www.openwall.com: backdoor in upstream xz/liblzma leading to ssh server compromise
- access.redhat.com: CVE-2024-3094
- www.redhat.com: Urgent security alert for Fedora Linux 40 and Fedora Rawhide users
- www.cisa.gov: Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094
- www.nextgov.com: CISA sounds alarm on deep-seated vulnerability in Linux tool
- arstechnica.com: What we know about the xz Utils backdoor that almost infected the world
- www.scmagazine.com: Backdoor in utility commonly used by Linux distros risks SSH compromise
- therecord.media: Malicious backdoor code embedded in popular Linux tool, CISA and Red Hat warn
- www.theregister.com: Malicious SSH backdoor sneaks into xz, Linux world's data compression library
Malicious Code Founds in xz utils
(March 29 & April 1, 2024)
Both RedHat and the US Cybersecurity and Infrastructure Security Agency (CISA) have warned of embedded malicious code in xz utils data compression library versions 5.6.0 and 5.6.1. CISA recommend downgrading to an unaffected version of the library. Researchers Andres Freund reported the vulnerability to Openwall on Friday, March 29.
Editor's Note
[Ullrich]
Luckily, this can be classified as a win for the good guys. But the danger to the supply chain is real. Not only was the backdoor very unique and sophisticated, but it was supported by a long term social engineering campaign at least as complex as the backdoor itself. Take a minute this week, and send a thank you note to an open source project that made a difference for you this week.
[Honan]
This incident brings strong echoes of the famous Ken Thompson's paper, “Reflections on Trusting Trust”. If you have not read it, I strongly recommend you do.
www.cs.cmu.edu: Reflections on Trusting Trust (PDF)
[Dukes]
This attack would have been highly effective if not for an engineer’s curious mind. Of note is the use of an advanced cryptographic scheme that ensures only they can use the bug for attack – a level of sophistication often found in nation-state backed operations. While the focus will be on the integrity of open-source software, it’s also a reminder for product vendors and the security controls they have in place for software configuration management.
[Murray]
APT class actors have discovered the potential efficiency of the supply-chain. We must hold suppliers accountable for shipping malicious code. Open-Source is an easy target and a big risk. At a minimum, we should require open source contributors to sign their work and include a SBOM for any code that they reuse.
[Frost]
What makes this one different is the sophistication and the targeting. This hidden code only appeared on compilation through an M4 macro and within the test trees. This requires a high degree of understanding of how to manipulate compiled binaries in systems. It appears that this was targeting xz’s use in SSH on specific systems. This would be a very innocuous and hard-to-understand backdoor in one of the most critical and trusted secure protocols that we rely on.
Read more in:
- nvd.nist.gov: CVE-2024-3094 Detail
- www.openwall.com: backdoor in upstream xz/liblzma leading to ssh server compromise
- access.redhat.com: CVE-2024-3094
- www.redhat.com: Urgent security alert for Fedora Linux 40 and Fedora Rawhide users
- www.cisa.gov: Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094
- www.nextgov.com: CISA sounds alarm on deep-seated vulnerability in Linux tool
- arstechnica.com: What we know about the xz Utils backdoor that almost infected the world
- www.scmagazine.com: Backdoor in utility commonly used by Linux distros risks SSH compromise
- therecord.media: Malicious backdoor code embedded in popular Linux tool, CISA and Red Hat warn
- www.theregister.com: Malicious SSH backdoor sneaks into xz, Linux world's data compression library
I support the 2nd Amendment Organizations of GOA, NRA, FPC, SAF, and "Knife Rights"
T2T: https://tunnel2towers.org; Special Operations Wounded Warriors: https://sowwcharity.com/
T2T: https://tunnel2towers.org; Special Operations Wounded Warriors: https://sowwcharity.com/
-
Naperville
- Member
- Posts: 4440
- Joined: Sun Feb 04, 2018 2:58 am
- Location: Illinois, USA
Re: Secret Backdoor Found in Major Linux Distros
This is really a huge deal.
Over a 3 year period, a group of talented programmers (probably employed by Russia or China) plotted to get into a position where they could insert complex code into open source projects to undermine the security of millions of people and corporations globally. They got caught! Had they not been caught they would have been able to spy on and steal data from tens if not hundreds of millions of Linux users(end users, corporations and governments).
Youtube live discussion 04/04/2024.
Over a 3 year period, a group of talented programmers (probably employed by Russia or China) plotted to get into a position where they could insert complex code into open source projects to undermine the security of millions of people and corporations globally. They got caught! Had they not been caught they would have been able to spy on and steal data from tens if not hundreds of millions of Linux users(end users, corporations and governments).
Youtube live discussion 04/04/2024.
I support the 2nd Amendment Organizations of GOA, NRA, FPC, SAF, and "Knife Rights"
T2T: https://tunnel2towers.org; Special Operations Wounded Warriors: https://sowwcharity.com/
T2T: https://tunnel2towers.org; Special Operations Wounded Warriors: https://sowwcharity.com/
-
OregonTimber
- Member
- Posts: 4
- Joined: Fri Apr 05, 2024 8:20 am
- Contact:
Re: Secret Backdoor Found in Major Linux Distros
I've been a linux user off and on since the mid 90's I've noticed that many distro's have basically vanished / lost support. It's interesting to see the SaaS cloud "apps" now available...linux has been looking more like a mac or android. I get the feeling data leakage and backdoor are probably in place for most current distro's. Qubes if setup correctly seems to be pretty secure. But that goes for several other distro's. Its a shame because personal security really should be fairly paramount for everyone, especially with the ramp up of "AI".
“Hunting isn't a matter of life or death. It's much more important than that.” - Red Green | 
Bend, Oregon USA
Bend, Oregon USA