PLEASE. I keep seeing it in memes. As I understand it the latest version of the xz
package (present in rolling release distros like Arch and SUSE Tumbleweed) has “a backdoor”, but I have no earthly clue what can be done by malicious folks with access to that backdoor or if I should be afraid or how to check if my distro is compromised or how to prevent damage if it is or (…)
My system is too broken for this malware to work. I use Arch btw.
Based on this very handy HN comment the long and short of it is that it would probably only have been a problem if you were running:
-
A very recent version of liblzma5 - 5.6.0 or 5.6.1. This was added in the last month or so. If you’re not on a rolling release distro, your version is probably older.
-
A debian or RPM based distro of Linux on x86_64. In an apparent attempt to make reverse engineering harder, it does not seem to apply when built outside of deb or rpm packaging. It is also specific to Linux.
-
Running OpenSSH sshd from systemd. OpenSSH as patched by some distros only pulls in libsystemd for logging functionality, which pulls in the compromised liblzma5.
So if all of those weren’t true for you, you’re most likely fine. Not a guarantee though since the backdoor’s still being analyzed and that comment is a couple of days old, but as far as I can tell it’s still reasonably accurate.
This doesn’t answer the question: what is the purpose behind adding the vulnerability? What specific things are vulnerable? What could it be used to do?
To allow somebody to change how the encryption between a server and client is handled so the communication can be intercepted. Either by putting a thumb on the scale for the cipher used or outright using a particular key that is known by an attacker.
E.g. to make a man in the middle or even passive traffic capture attack possible so they can choose to intercept supposedly secure traffic when they want to
I don’t know if the full extent of what it can be used for it known yet. Just that how they hook the calls for the traffic allows for some pretty nasty scenarios.
I literally just gave you a list of what’s vulnerable: Debian / RPM -based distros on x86_64 Linux that installed new versions of liblzma5 (which are so new that likely only rolling release distros had them), running OpenSSH sshd via systemd.
As to what it could be used to do and what its purpose is, well, the backdoor’s still being analyzed. Seems to be for remote code execution, ie. the attacker could theoretically execute code on a backdoored machine.
I’ve been wondering if there’s some kind of notification code that let’s the bad actor know they’ve successfully infected someone. Otherwise what’s the plan, trawl the entire IP space for devices your key can access? Wouldn’t it need UPNP or some other method to reach most people’s systems?
I think the intention probably wasn’t to get into Jane Q. Public’s home computer, but was aimed at being able to infiltrate more high value targets – corporations, governments etc. While I haven’t kept up with the latest findings in this, I’d guess the intention was to have the backdoor spread widely enough that you really wouldn’t need to scan for targets – Debian and distros that use RPM are very popular after all.
It’d definitely require the target to have their sshd open to the world, but that’s not uncommon at all unfortunately.
-
Listening to Клетка while reading about this situation feels so cyber-esque.
Chances are very, very high, that you are not nearly interesting enough to warrant someone utilizing said back door to discover your stash of furry lewds. The primary target for an exploit like this, is either nation state level (industrial/political espionage, tampering with financial markets, etc.) or criminal enterprise level going after high value targets. Trying to dragnet every random whoever to see if they have data worth compromising wouldn’t be much of a money maker.
That said, this is one of the dangers of using a rolling release. I was running endeavourOS and was likely exposed to the back door for a while. I’ve since switched back to Fedora, which was only exposed on its testing branch (rawhide).
The backdoor’s probably not “installed” on anything but Debian & distros that use RPM so Arch would probably have been fine just due to that alone, see eg. this HN comment which summarizes things pretty well.