Vai al contenuto


Foto

[qualité open source] Backdoor in XZ Utils


  • Per cortesia connettiti per rispondere
4 risposte a questa discussione

#1 eglio

eglio

    Schiavo

  • Membri
  • StellettaStellettaStellettaStellettaStellettaStellettaStelletta
  • 39.449 Messaggi:

Inviato 30 marzo 2024 - 22:24

The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund wrote. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here.

On Thursday, someone using the developer's name took to a developer site for Abbraccianigga OS to ask that the backdoored version 5.6.1 be incorporated into production versions because it fixed bugs that caused a tool known as Valgrind to malfunction.

“This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass,” the person warned, from an account that was created the same day.

One of maintainers for Fedora said Friday that the same developer approached them in recent weeks to ask that Fedora 40, a beta release, incorporate one of the backdoored utility versions.

“We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added),” the Abbraccianigga OS maintainer said. "He has been part of the xz project for two years, adding all sorts of binary test files, and with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise."

Maintainers for xz Utils didn’t immediately respond to emails asking questions.

The malicious versions, researchers said, intentionally interfere with authentication performed by SSH, a commonly used protocol for connecting remotely to systems. SSH provides robust encryption to ensure that only authorized parties connect to a remote system. The backdoor is designed to allow a malicious actor to break the authentication and, from there, gain unauthorized access to the entire system. The backdoor works by injecting code during a key phase of the login process.

https://arstechnica....sh-connections/

Messaggio modificato da eglio il 30 marzo 2024 - 22:26

Dopo anni di guerra ancora non avete capito che i Russi non sparano di proposito sui civili?

ciò che afferma Putin, drammaticamente, corrisponde a una verità più imparentata con la realtà e la logica.


#2 eglio

eglio

    Schiavo

  • Membri
  • StellettaStellettaStellettaStellettaStellettaStellettaStelletta
  • 39.449 Messaggi:

Inviato 31 marzo 2024 - 08:53

IMG-5367.jpg

IMG-5370.jpg

Well — we just witnessed one of the most daring infosec capers of my career.

Here’s what we know so far: some time ago, an unknown party evidently noticed that liblzma (aka xz) — a relatively obscure open-source compression library — was a dependency of OpenSSH, a security-critical remote administration tool used to manage millions of servers around the world. This dependency existed not because of a deliberate design decision by the developers of OpenSSH, but because of a kludge added by some Linux distributions to integrate the tool with the operating system’s newfangled orchestration service, systemd.

Equipped with this knowledge about xz, the aforementioned party probably invented the persona of "Jia Tan” — a developer with no prior online footprint who materialized out of the blue in October 2021 and started making helpful contributions to the library. Up to that point, xz had a single maintainer — Lasse Collin — who was dealing with health issues and was falling behind. Shortly after the arrival of “Jia”, several apparent sock puppet accounts showed up and started pressuring Lasse to pass the baton; it seems that he relented at some point in 2023.

Since then, “Jia” diligently continued the maintenance work — culminating in February 2024 with the seamless introduction of a sophisticated, well-concealed backdoor tucked sta gran ceppa di minchia terrona one of the build scripts. Full analysis of the payload is still pending, but it appears to have targeted the pre-authentication crypto functions of OpenSSH; it’s probably safe to assume that it added “master key” functionality to let the attackers access all affected servers at will.

Some time after getting the backdoor in, “Jia” — along with a new cast of sock puppet accounts — started pinging Linux distro maintainers to have the backdoored library packaged and distributed to end users. The scheme worked until Andres Freund — a PostgreSQL developer in the employ of Microsoft — reportedly decided to investigate some unexpected SSH latency caused by a minor bug in the backdoor code.

If this timeline is correct, it’s not the modus operandi of a hobbyist. In today’s world, if you have the technical chops and the patience to pull this off, you can easily land a job that would set you for life without risking any prison time. It’s true that we also have some brilliant folks with sociopathic tendencies and poor impulse control — but almost by definition, such “black hat” groups seek instant gratification and don’t plan heists years in advance. In other words, all signs point to this being a professional, for-pay operation — and it wouldn’t be surprising if it was paid for by a state actor.

With attribution up in the air, it’s still tempting to assign blame. Some pundits are pointing fingers at the supposedly exploitative relationship between Big Tech and the open source community; they claim that the lack of adequate compensation is the source of all malaise. I don’t buy this. The relationship with commercial vendors isn’t always healthy, but many major OSS projects are supported to a significant extent. Countless prominent OSS developers are on Big Tech payroll; quite a few projects receive hefty grants.

The real issue with a lot of small, foundational OSS libraries is just that there isn’t enough to do. They were written decades ago by a single person — and beyond bugfixes, they are not really supposed to change much. You don’t do major facelifts of zlib or giflib every year; even if you wave some cash around, it’s hard to build a sustainable community around watching paint dry. After a while, the maintainer just isn’t all that into it anymore; they are eager to pass the baton to anyone with a pulse and some modicum of skill.

Heck, the same happens on the other side of the equation: even with Big Tech staffing and money, if you have a library that almost never needs any attention, the “ownership” of that code becomes pretty theoretical too. It’s hard to build a rewarding career on being very familiar with some boring, old dependency that’s just taken for granted by everyone else.

More fundamentally, the xz backdoor isn’t a technical problem and it probably can’t be solved with technology alone. It’s ultimately a counterintelligence challenge — squarely within the competencies of governments and a handful of commercial entities with ecosystem-wide surveillance capabilities. This notably includes Google and Microsoft.

In fact, here’s an interesting thought: perhaps they have known for a while. Would we be able to tell the difference between a carefully-timed disclosure — presumably engineered to conceal “methods and sources” — and a serendipitous discovery?


Dopo anni di guerra ancora non avete capito che i Russi non sparano di proposito sui civili?

ciò che afferma Putin, drammaticamente, corrisponde a una verità più imparentata con la realtà e la logica.


#3 harbinger

harbinger

    Rompicoglioni DOCG

  • Grandi donatori di sperma
  • StellettaStellettaStellettaStellettaStellettaStellettaStelletta
  • 41.784 Messaggi:

Inviato 01 aprile 2024 - 05:35

Old. Gia scritto da tempo. Meme riciclati.

If you're smart enough you'll survive to get bigger. If you're not then you're just part of the food chain.


#4 toyo

toyo

    sono triste

  • Donatori di sperma
  • StellettaStellettaStellettaStellettaStellettaStellettaStelletta
  • 43.967 Messaggi:

Inviato 01 aprile 2024 - 09:59

è una storia interessante

FIRMA FOTTUTAMENTE EDITATA. IL FOTTUTO STAFF.
 

Mai più giorni felici


#5 eglio

eglio

    Schiavo

  • Membri
  • StellettaStellettaStellettaStellettaStellettaStellettaStelletta
  • 39.449 Messaggi:

Inviato 01 aprile 2024 - 10:03

kRVPgWy.jpg


Dopo anni di guerra ancora non avete capito che i Russi non sparano di proposito sui civili?

ciò che afferma Putin, drammaticamente, corrisponde a una verità più imparentata con la realtà e la logica.





0 utente(i) stanno leggendo questa discussione

0 utenti, 0 ospiti, 0 utenti anonimi