In case you have managed to avoid tech news for a couple of days, this is important: https://tukaani.org/xz-backdoor/
From one of the linked resources:
TL:DR:
Using a .deb or .rpm based distro with glibc and xz-5.6.0 or xz-5.6.1: Using systemd on publicly accessible ssh: update RIGHT NOW NOW NOW Otherwise: update RIGHT NOW NOW but prioritize the former Using another type of distribution: With glibc and xz-5.6.0 or xz-5.6.1: update RIGHT NOW, but prioritize the above.
More relevant to this chat, it is a great example of the hazards of shared-everything linking :smile:
and late-binding overly-configurable resolution -- IIRC the exploit uses weird features of ld.so (audit hook? overriding symbols?) to hook into the auth path
and allowing binaries in the repo, even test binaries
i think it uses IFUNCs
it's really a fascinating journey; a microsoft employee that works on postgres noticed a slightly (in terms of wall clock) slower than normal auth in his sshd and decided to perf it rather than shrug, and here we are
and luckily done before it hit stable channels in distros
seemingly years of work by this attacker undone by a dev that said "huh, no symbol for this function in the hot path; i should look into that"
makes one wonder just how frequently we haven't been so lucky
also, the attacker was quite sophisticated; i saw one of his commits that was related to "fixing" a check for sandboxing support in xz, which from the commit message and the changes itself seemed entirely plausible, but the test program contained a period in a very hard to spot location which would have caused a failure to compile, disabling the use of the API
The best summary I have found is in this blog that will perhaps be kept updated for a while:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
And the original xz's author's status page, where he says he'll provide updates in the next week:
https://tukaani.org/xz-backdoor/
Yes, the IT community around the world is lucky a Microsoft employee, frequent PostgreSQL contributor, wondered why his ssh was taking a half second to authenticate and he knew how to dig in to figure it out.
And will make one wonder any time a new account is created that immediately starts complaining about things.
Peter Huene schrieb:
it's really a fascinating journey; a microsoft employee that works on postgres noticed a slightly (in terms of wall clock) slower than normal auth in his sshd and decided to perf it rather than shrug, and here we are
It is also an example that it might be good of having micro benchmarks.
Last updated: Dec 23 2024 at 12:05 UTC