CVE-2024-3094 - SSH vulnerability

Davvo

MVP
Joined
Jul 12, 2022
Messages
3,222

Davvo

MVP
Joined
Jul 12, 2022
Messages
3,222
Looks like it was a malicious user shoving a PR into the code under the radar of the other developers?
Yeah, as of now it appears to be so.
 
Joined
Oct 22, 2019
Messages
3,641
Apparently, even Arch Linux package maintainers believe this "Jia Tan" is untrustworthy.

jia-tan.png


They claim that they're using an alternative upstream source for XZ (since the GitHub project has been closed), in which this (intentional?) vulnerability has been reverted.


Lasse Collin published a page about this incident on his website.


There's speculation that "Jia Tan" could be an alt account for Lasse Collin? Or even that they're "friends" with each other. :oops: (No proof or evidence that I know of yet.) If so, that makes things extra... awkward. (Both being suspended from GitHub may just be a precautionary move by GitHub itself.)
 
Joined
Oct 22, 2019
Messages
3,641
Discussion on Hacker News: https://news.ycombinator.com/item?id=39865810

TL;DR: This "Jia Tan" contributed a lot of code to XZ that goes further back, which calls into question if there are other vulnerabilities that still remain within xz, even if this particular one is reverted / patched. (It's easy to "hide" malicious code in an ocean of complexity.)

I count a minimum of 750 commits or contributions to xz by Jia Tan, who backdoored it.

This includes all 700 commits made after they merged a pull request in Jan 7 2023, at which point they appear to have already had direct push access, which would have also let them push commits with forged authors.
 

Davvo

MVP
Joined
Jul 12, 2022
Messages
3,222
Yup. According to arstechnica:
The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project. [...]
On Thursday, someone using the developer's name took to a developer site for Ubuntu to ask that the backdoored version 5.6.1 be incorporated into production versions because it fixed bugs that caused a tool known as Valgrind to malfunction. “This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass,” the person warned, from an account that was created the same day. One of maintainers for Fedora said Friday that the same developer approached them in recent weeks to ask that Fedora 40, a beta release, incorporate one of the backdoored utility versions. “We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added),” the Ubuntu maintainer said. "He has been part of the xz project for two years, adding all sorts of binary test files, and with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise."
 
Joined
Oct 22, 2019
Messages
3,641
I'm 99% sure this is a malicious actor with nefarious purposes. There's too much enthusiastic intention to push a seemingly innocuous compression tool update into major distros (and likely to embedded devices as well.)
 
Last edited:

Davvo

MVP
Joined
Jul 12, 2022
Messages
3,222
The real grave thing is the groundwork made the years before to establish the developer's credibility. This looks premeditated.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
Someone definitely played the long game.

FreeBSD is not affected because SSH in base is not linked against liblzma. From what I understood it's not even common in Linux but some distributions link in certain systemd support that in turn has liblzma as a dependency.
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
On one hand, this is scary. On the other hand, not entirely unexpected.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
Bildschirmfoto 2024-03-30 um 22.56.23.png
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
Yeah wow I had read about this elsewhere. Seems like a lot of people are in a panic to know where this is and isn't a problem.
Perfectly understandable.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
I just sent this to the freebsd-stable mailing list:
1. The point of this backdoor is - to my knowledge - to get a rogue login via SSH.

2. The mechanism relies on the compromised liblzma being linked with sshd.

3. Which is the case for some Linux distributions because they pull in some extra
functions for better systemd integration which then pulls in liblzma as a dependency.

4. FreeBSD is - to my knowledge - not susceptible to this attack because our sshd
is not linked to the compromised library at all.

5. Even if you installed a supposedly compromised xz from ports, there are probably
no ill consequences.

Caveat emptor: this is my personal assessment of the situation. This is not in any way a carte blanche regarding the security of any mission critical systems you might be running.

Still, among us fellow admins: I sleep well, no worries. Trust me or don't - go about the issue with the scrutiny your occupation demands.
 
Last edited:

Arwen

MVP
Joined
May 17, 2014
Messages
3,611
I checked my home Linux distro, Gentoo, and it does not seem to use the affected library in SSH. The current XZ utilities I have loaded is 5.4.6-r1, which is below the known compromised version. However, because of commits from the same submitters in later than 5.4.2 versions, Gentoo is rolling back to 5.4.2. (Aka mask all newer versions of the XZ utilities for the moment.) I'll have to schedule an extra update soon.

Of course, in my case, I continue to use Gentoo because != systemd.
 
Last edited:

Koop

Explorer
Joined
Jan 9, 2024
Messages
59
The malicious code has been found in the XZ project's source packages beginning with release 5.6.0. TrueNAS Scale 24.04 & TrueNAS Scale 23.10 are both running version 5.4.1

Nice.

Something something "TrueNAS is an appliance" woohoo.
 

awasb

Patron
Joined
Jan 11, 2021
Messages
415
Top