There's a huge backdoor (#CVE -2024-3094) allowing remote SSH access (as far as I can tell at this moment) caused by a util called #xz affecting a ton of systems (#Linux and #macOS, well not really) and it's causing quite a huge panic. I honestly don't know much about it just yet, but just sharing some pieces to read about the huge vulnerability.
The person who had maliciously planted this vulnerability into xz-utils, Jia Tan, has made at least 750 contributions to the project over the past 2 years. They even have direct push access to the code repo, allowing them to have pushed commits with forged authors. Being "free" from this vulnerability is not as simple as reverting to a previous version due to just how much and how long they've contributed to the project, and people are rightfully suspicious that this person might have hidden other backdoors in xz.
Unlike most other vulnerabilities, it's a lot harder to pinpoint versions affected by this but the most likely case is most systems out there have xz installed on their system that are impacted - which at this moment, the info being thrown around is any version past 5.3.1, 5.4.6, or 5.6.0 (latest is 5.6.1).
[REFER to post update below, Arch is most likely not affected] Mine, on #ArchLinux is certainly affected lol (people kept saying it most likely only affects #Ubuntu and #Fedora based distros):
❯ xz --version
xz (XZ Utils) 5.6.0
liblzma 5.6.0
Libraries installed on my system requiring xz (i.e. just about everything lol):
:: removing xz breaks dependency 'xz' required by base
:: removing xz breaks dependency 'xz' required by bind
:: removing xz breaks dependency 'xz' required by ffmpeg
:: removing xz breaks dependency 'xz' required by ffmpeg4.4
:: removing xz breaks dependency 'xz' required by file
:: removing xz breaks dependency 'xz' required by fsarchiver
:: removing xz breaks dependency 'xz' required by gdb
:: removing xz breaks dependency 'xz' required by grub
:: removing xz breaks dependency 'xz' required by imagemagick
:: removing xz breaks dependency 'xz' required by imlib2
:: removing xz breaks dependency 'xz' required by kmod
:: removing xz breaks dependency 'xz' required by lib32-xz
:: removing xz breaks dependency 'xz' required by libarchive
:: removing xz breaks dependency 'xz' required by libelf
:: removing xz breaks dependency 'liblzma.so=5-64' required by libelf
:: removing xz breaks dependency 'xz' required by libtiff
:: removing xz breaks dependency 'xz' required by libunwind
:: removing xz breaks dependency 'xz' required by libxml2
:: removing xz breaks dependency 'xz' required by libxmlb
:: removing xz breaks dependency 'xz' required by libxslt
:: removing xz breaks dependency 'xz' required by ostree
:: removing xz breaks dependency 'liblzma.so=5-64' required by ostree
:: removing xz breaks dependency 'xz' required by raptor
:: removing xz breaks dependency 'xz' required by systemd
:: removing xz breaks dependency 'xz' required by systemd-libs
:: removing xz breaks dependency 'xz' required by wxwidgets-common
:: removing xz breaks dependency 'xz' required by zstd
Let go and let God, I say. Free for all SSH open house.
UPDATE:
Saw some reports informing that this vulnerability was only bundled in the release tarballs, not in the #Git source itself - hence, Arch Linux should be safe since Arch builds/installs packages directly from source.
The backdoor also appears to to only run when built by the Debian build system or as an RPM package.
As far as I can tell, you're only impacted by this vulnerability only if:
Your distro sources/packages xz from their release tarballs rather than through the Git source directly.
The payload was only included for the #RPM or #DEB packaging, so unless your distro uses these - you're probably safe.
As far as I can tell, it also only affects x86 systems so #ARM based systems should be fine.
As far as I can tell, your system needs to be running #systemd to be impacted by this, so #Docker/#Podman#containers should mostly if not entirely be fine....? maybe.
In other news, people are currently investigating and evaluating other projects also actively contributed by the compromised developer, Jia Tan, including #libarchive.
People are also analysing the dev's commit history to deduce their background from their activity lol. They've been found to push commits during office hours Mon-Fri, every other Saturdays, presumably Public Holidays that seem to align with China's PH, and seems to be on GMT +8 locale.
Add comment