Off topic: SSH security backdoor

rabler · Mar 30, 2024

Completely off topic for this forum, but an intentional backdoor built into the openssh code found on many linux devices. Fortunately it appears it was caught before making it's way into popular devices, although the Mac's "HomeBrew" was apparently vulnerable before a patch that just came out:

Jake M · Mar 30, 2024

Dang, that's wonderful news, especially for those of us who are not qualified to use Linux at all, yet are muddling our way through anyhow, using Linux in protest of other options...

Here's what I've got-

What's Cool: While it "could" affect most any distro, it's mostly limited to a very unlucky few. They found it before any big releases. It's mostly for remote access stuff, so not too commonly used outside of industry, although...... It's free on the internet, there's probably a few folks with reasons. And hasn't made it (or barely made it) into some Redhat stable release stuff. Primarily the issue will be people using betas and unstable releases in a business environment. Little to no release of those versions that wasn't a "user initiated" thing.

What's Not Cool: One guy who "apparently" (not "for surely") is/was one of two people on that project, was able to get this very complicated, and apparently somewhat ingenious bit of code in there over several installments. He's been working on the project for a lot of years, allegedly, although this appars pretty recent and localized. I still can't tell if we know who he is, or if we just know his handle on the internet..... Or if it's even a "he". The usual sources seem to think it's a "he"....

Scary Stuff:
That's a small pool of people working on an open source project if you're gonna invoke "open source" as a security feature...
I'm quite surprised that while not released, this code was available publicly, for so long, and nobody caught that. It must have been well buried in there...
It got found because people were using the beta downloads to gain (legitimate) access to remote business servers. Whiskey Tango Foxtrot, why would you do that? That has got to be the biggest case yet for "DO NOT USE THE FREAKIN BETAS AND NIGHTLYS FOR ANYTHING THAT HAS CONSEQUENCES!!!! They are called unstable for a reason, and expressly NOT supported by the "security department". How can somebody clever enough to run these early releases not understand why they can't be used that way?

Anyhow... Low likelyhood of having it on a personal PC, but but a possibliity on most versions of Linux. I'll guarantee there's a few out there. If you know what to do, great. If not, you can check from the command prompt.

Command prompt-

"xz -v" seems to be the most common.

"xz -ver" is out there a bunch

"xz --version" worked for me

Or a quick google of your distro will find that version command for your Linux version.. The xz version 5.6.0 and 5.6.1 are the problem. Prior to that, no worries. As of today there are no newer versions, so as they come out, they'll be good.

rabler · Mar 31, 2024

Fortunately this was found before any significant impact, so it is more of an academic interest than a problem. But it does point to a weakness in the open source community when sophisticated packages are put together.

The actual compromise is pretty insidious and was introduced in several steps to hide it's nature. Normally binary code is not included as part of an open source repository, but this was snuck into "test" data and then unpacked through later additions to the build process. In this case, one program (xz utils and libraries) was used to compromise another program systemd in a way to effect ya third program (sshd). It was available in released source code for about a month, so it wasn't present that long before luckily someone caught it. Normally only maintainers and active developers of that project see the code before release. Given the wide use of ssh in not only desktop and server linux distributions, but in embedded linux devices (everything from wifi routers, 3D printers, etc) it had the potential to be catastrophic, so it is fortunate it was caught quickly.

The reality is that open source code can be reviewed by anyone, but being free code there is no gauranteed review process. I have seen some discussion that the open source community is starting to suffer from a lack of people volunteering to maintain code, where those are the people that review changes to a given project and approve them for release. To me this appears to be a sophisticated attempt to capitalize on that issue.

On a speculative note, personally I suspect this could be the results of an organized group rather than an individual. I doubt they'll be able to trace it to anyone though, internet identities are pretty vague. Someone hoping to use something like this for ransomware, etc, would know how to hide their tracks.

editted to add: here is a good description of the technical details

Ulma Doctor · Mar 31, 2024

Thank you gentlemen for having this discussion.
I have much to learn

Jake M · Mar 31, 2024

Ulma Doctor said:
Thank you gentlemen for having this discussion.
I have much to learn

I've got to thank all the folks on the internet at large as well. Just as we on this site, while there may be other common intrests, we, here, have congregated around metalworking as a hobby. Many have taken on open source software (in this case, Linux), as a hobby. For a project as "out there" as Linux, there are more people who truly understand Linux than there are who truly understand Windows at the same level.

I don't know why they do what they do (any more than they know why I do what I do), but they, and their love of their jobs, or often just hobbies, are the reason that I am able to do this Linux thing. All I'm doing is poking a stick at the window's establishment, which is so big that it doesn't even know there's a stick being poked at it, but I still like doing it. I am amazed at how they do what they do.

matthewsx · Mar 31, 2024

Both the weakness and strength of open source software.

There’s one state actor that I would suspect but I won’t say it here. It’s always them though.

John

woodchucker · Mar 31, 2024

For some reason I think there was a problem with SSH about 5 or 6 years ago. I don't remember exactly , but I believe there was another issue.
I used SSH for many of my unix and linux logins from machine to machine. Getting rust on the memory at this point.

edit: and remote executions.

tim81 · Mar 31, 2024

Jake M said:
Dang, that's wonderful news, especially for those of us who are not qualified to use Linux at all, yet are muddling our way through anyhow, using Linux in protest of other options...

Here's what I've got-

What's Cool: While it "could" affect most any distro, it's mostly limited to a very unlucky few. They found it before any big releases. It's mostly for remote access stuff, so not too commonly used outside of industry, although...... It's free on the internet, there's probably a few folks with reasons. And hasn't made it (or barely made it) into some Redhat stable release stuff. Primarily the issue will be people using betas and unstable releases in a business environment. Little to no release of those versions that wasn't a "user initiated" thing.

What's Not Cool: One guy who "apparently" (not "for surely") is/was one of two people on that project, was able to get this very complicated, and apparently somewhat ingenious bit of code in there over several installments. He's been working on the project for a lot of years, allegedly, although this appars pretty recent and localized. I still can't tell if we know who he is, or if we just know his handle on the internet..... Or if it's even a "he". The usual sources seem to think it's a "he"....

Scary Stuff:
That's a small pool of people working on an open source project if you're gonna invoke "open source" as a security feature...
I'm quite surprised that while not released, this code was available publicly, for so long, and nobody caught that. It must have been well buried in there...
It got found because people were using the beta downloads to gain (legitimate) access to remote business servers. Whiskey Tango Foxtrot, why would you do that? That has got to be the biggest case yet for "DO NOT USE THE FREAKIN BETAS AND NIGHTLYS FOR ANYTHING THAT HAS CONSEQUENCES!!!! They are called unstable for a reason, and expressly NOT supported by the "security department". How can somebody clever enough to run these early releases not understand why they can't be used that way?

Anyhow... Low likelyhood of having it on a personal PC, but but a possibliity on most versions of Linux. I'll guarantee there's a few out there. If you know what to do, great. If not, you can check from the command prompt.

Command prompt-

"xz -v" seems to be the most common.

"xz -ver" is out there a bunch

"xz --version" worked for me

Or a quick google of your distro will find that version command for your Linux version.. The xz version 5.6.0 and 5.6.1 are the problem. Prior to that, no worries. As of today there are no newer versions, so as they come out, they'll be good.

Nowadays is difficult . Stay updated with security only updates dont install packages you don’t need, anyway way better then windows

Forty Niner · Apr 1, 2024

Jake M said:
Anyhow... Low likelyhood of having it on a personal PC, but but a possibliity on most versions of Linux. I'll guarantee there's a few out there. If you know what to do, great. If not, you can check from the command prompt.

Command prompt-

"xz -v" seems to be the most common.

"xz -ver" is out there a bunch

"xz --version" worked for me

Or a quick google of your distro will find that version command for your Linux version.. The xz version 5.6.0 and 5.6.1 are the problem. Prior to that, no worries. As of today there are no newer versions, so as they come out, they'll be good.

Thanks for posting the information and command. (xy -V worked for me.) I checked my computers.

I found that that I have version 5.4.6 Liblzma on my PCLinux workstation and version 5.4.4 on my pfSense FreeBSD firewall computer. Should not be a problem.

GeneT45 · Apr 1, 2024

I consider it validation of the open-source concept that we have a fix, and before major distribution at that. There are a lot of computer security researchers out there, and needless to say, it's a lot easier to research security when you can see the code.

How many severe Windows security flaws have been discovered? I don't have enough fingers...

GsT

Welcome back Guest! Did you know you can mentor other members here at H-M? If not, please check out our Relaunch of Hobby Machinist Mentoring Program!

Off topic: SSH security backdoor

rabler

Addlepated tinkerer

Jake M

Registered

rabler

Addlepated tinkerer

Ulma Doctor

Infinitely Curious

Jake M

Registered

matthewsx

H-M Supporter - Diamond Member

woodchucker

Registered

tim81

Registered

Forty Niner

H-M Supporter - Silver Member

GeneT45

Registered