Comment

Comment on How does the xz incident impacts the average user ? #xz

Quick summary:

only impacts Debian and Linux distributions that utilize RPM for packages
only impacts cases where liblzma is compiled from a tarball, rather than cloned source repository or precompiled binary
only impacts x64 architecture
introduced in liblzma 5.6.0 which was released in late February so only impacts installs receiving updates to liblzma since then

liblzma is a library for the lzma compression format. Loosely, this means it’s used by various other pieces of software that need this type of compression, rather than being an application itself.

It is very widely used. It comes installed on most major Linux distributions and is used by software like openssh, one of the standard remote connection packages.

However, since it was only in the tarball, you wouldn’t see it widely until debian, fedora, et al release a new version that includes the latest liblzma updates. This version hadn’t been added to any of the stable release channels yet, so the typical user wouldn’t have gotten it yet.

I believe this would have gone out in debian 12.6 next week, and the attacker was actively petitioning fedora maintainers to get it added to fedora 40 & 41

The interesting thing about this situation was how much effort the attacker put in to gain trust just to get to the point where they could do this, and how targeted the vulnerability seems to have been. They tried very hard to reduce the likelihood of being caught by only hitting a limited set of configurations

source

Sort:hotnew top

Jimmycrackcrack@lemmy.ml ⁨7⁩ ⁨months⁩ ago
I’m still confused exactly what the circumstances would be where this worked as the attacker intended. Would simply having the infected liblzma version on the system create the vulnerability or does something have to happen to invoke it and then what? What’s he chain of events that would have happened had this worked perfectly and gone undetected? I tried to read some of the more detailed analysis but the stuff went way over my head.

Also, what about Mac OS? Can the package create any vulnerability there if installed via homebrew as it’s reported to have done in some cases? Or is that environment also not right for it to work?

source
- neatchee@lemmy.world ⁨7⁩ ⁨months⁩ ago
  Here’s how it was intended to work:
  
  debian, fedora, or another RPM-based distribution updates references to liblzma to 5.6.x in their latest release
  
  the package repository is updated (usually through automation) by getting the infected tarball and compiling it into an RPM which is added to the repo
  
  if the package is built using glibc and the gnu linker, and for a system that uses systemd, the exploit is enabled during compilation of the x86-64 version of the package; otherwise the result is normal
  
  when an application is installed that depends on liblzma, possibly during OS installation itself, the infected RPM package from the package repository is downloaded and installed
  
  in this particular case, OpenSSH was the primary target; if the attacker wanted to, it could have targeted any web-facing service that uses liblzma such as OpenSSL + Apache/nginx, etc
  
  when the OpenSSH server is started on an infected system, it loads the infected liblzma binary
  
  the attacker starts an SSH connection to the infected server, having already known about the server or by scanning the internet for visible ssh servers
  
  during creation of the SSH connection, one of the steps is to negotiate encryption using an RSA key. The attacker uses a specially formed RSA key only available to the attacker that also contains a chunk of code (the “payload”) that they want executed on the server
  
  liblzma is utilized to compress data in transit; when the infected liblzma decompresses the RSA key on the server, the exploit recognizes the attacker’s special RSA key and executes the payload on the host system. Otherwise, the ssh session continues as normal
  
  source
  - NeatNit@discuss.tchncs.de ⁨7⁩ ⁨months⁩ ago
    Thank you! I believe this is what the OP was asking, and it’s definitely what I wanted to know :)
    
    Do we know what the payload is?
    
    source
    neatchee@lemmy.world ⁨7⁩ ⁨months⁩ ago
    Arbitrary. It could be whatever they wanted at any time
    
    source